Lightbulbs were invented to do one thing: illuminate a room or a space. Cybercriminals, however, may find that these glass miracles can be used to shed light in a more metaphorical sense – to spy on users’ private data and preferences.
The light emitted by modern smart bulbs can be used in two different types of privacy attacks, according to academic research from the University of Texas at San Antonio. The most serious attack uses the bulbs’ infrared capabilities to carry out covert-channel exfiltration of a user’s private data, out of a secured or air-gapped home or office network.
The other type of vector is much less concerning, and allows attackers to deduce users’ audio and video playback preferences via the multimedia-visualization functionality of the bulbs.
Data-Exfiltration for Air-Gapped Environments
In the attack scenario that presents the most danger to consumers, an adversary can actively and covertly exfiltrate private data from within a smart-light user’s personal device or network from up to 50 meters away (albeit with significant garbling of the information at that distance).
There are easier ways to snoop data from a network remotely using malware of course. But the takeaway from this research is that for environments that are highly secure or air-gapped, the technique can be brilliant, so to speak, as it requires no communication with the target’s network.
What it does require however is a preliminary malware attack. The adversary must install malware on a smartphone or computer that connects to the same network as the infrared-capable smart bulbs. This can be achieved with the usual bag of tricks: social engineering, web injection attacks, spam and so on. The bad code collects the data and then encodes it.
“The malicious software agent is responsible for encoding target user’s private data (accessible on-device or on the network) in a format suitable for infrared communication, and transmits the encoded data using the user’s infrared-enabled smart light,” the researchers explained, in the recently released paper. “We also assume that the malicious software agent cannot directly communicate with an adversarial server over the internet (for example, due to a firewall), or that the user’s network is air-gapped.”
The Infrared Difference
The paper explained that an adversary could use either the visible or infrared spectrum of a smart bulb to create an one-way, line-of-sight data exfiltration gateway, using known transmission techniques such as amplitude and/or wavelength shift-keying. While similar research has covered the ability to transmit data using visible photons from a secure or air-gapped network, the recent paper demonstrated an improvement in accuracy (and covertness) by using the infrared spectrum.
“Infrared-enabled smart lights can act as a superior data exfiltration gateway because – (a) they have fine-grained control of brightness/intensity, which can be used to design communication protocols that achieve higher throughput, (b) they are brighter than LED indicators found on computers and routers, increasing the possibility of data reconstruction from a longer distance, and (c) the adversary does not have to surreptitiously place any additional malicious hardware in the target area (i.e., in addition to the smart light already installed by the user),” the team noted.
It’s also stealthier. “As human eyes are not sensitive to the infrared spectrum, it can be used to create a covert channel, which can remain undetected for longer durations,” the researchers explained.
Once the line-of-site transmission channel is set up, the attacker can then use the aforementioned malware to encode private data of interest (in binary form), which is then transmitted in blocks by controlling the infrared power level of the smart bulb connected to the same device or network.
“For example in 4-ary ASK, a ’00’ data block will be transmitted by setting the infrared power level of the bulb at 0 (off), a ’01’ data block will set the power level at 21845 (65536÷(M−1)), a ’10’ data block will set the power level at 43690, and a ’11’ data block will set the infrared power level at 65535 (maximum),” the researchers explained.
The attacker meanwhile uses an infrared sensor to receive the encoded information from the target user’s smart bulb.
“Once a start symbol is received by the infrared sensor, the adversary starts recording the observed infrared amplitudes representing the M-ary ASK encoded data, until an end symbol is received,” the researchers explained. “Then the adversary normalizes the recorded data based on the maximum amplitude, and decodes it to reconstruct the private data in binary format.”
Depending on the amount of signal attenuation and channel noise, the reconstructed data may not be identical to the original data – a state of affairs that, as would be expected, worsens with distance.
The adversarial observation distance from the smart bulb in the testing was increased in steps (five, 15, 30 and 50 meters); the bit error rate (BER) in the reconstructed data was calculated for each. The infrared signal strength reduces as distance from the bulb increases, so the BER ranged from 0.138 to 0.496 – i.e., almost 50 percent at the boundary of the range.
Text reconstruction at 15 meters.
“However, even with high BER the reconstructed data can still be useful for an adversary. For example, text inference from reconstructed data is easier than many other encoding schemes,” according to the paper. “An adversary can perform additional semantic analysis on the reconstructed text to improve its correctness and legibility.”
This attack is possible on hub-less smart lights (the researchers used the popular LIFX smart bulbs) due to the lack of permission controls for controlling the lights within the local network. However, an attack may also work with a controller hub in the mix, the researchers added – if the hub itself does not have permission controls. They also said that the Phillips Hue ecosystem, which does use a hub with permission controls, can be compromised if an adversary uses malware to obtain access credentials.
Incidentally, the work also examined the effect of higher bandwidth on these types of attacks.
“Depending on the amount of private data to be covertly exfiltrated, channel bandwidth can be a deciding factor in the success of such an attack,” the team said. “As a higher-bandwidth channel will take less time to transmit the data, compared to a lower-bandwidth channel, the likelihood of a detection and/or disruption is lessened with higher bandwidth.”
Multimedia Attacks
The other threat the researchers examined involves a feature of some bulbs known as multimedia-visualization, which is meant to work with a nearby media player to synchronize the lights to a song or video playing. An attack could allow a physical observer to uncover what someone is watching or listening to, just by logging the pattern of the lighting.
The researchers experimented with the LIFX and Phillips Hue bulbs, which support millions of colors and multiple shades of white, with granular brightness and saturation controls. They connect over the home WiFi network to devices like the Light DJ or the lifxDynamic/hueDynamic media player to create a coordinated entertainment light show.
“Many of the current-generation smart lights are also LED-based, which enables fine-grained customization of color and intensity of the light being emitted from these bulbs,” the researchers explained. “A few advanced smart lights are also equipped with infrared capabilities, intended to aid surveillance cameras in low-visibility environments.”
The researchers designed an inference framework that starts with the adversary recording the observed luminance or color profile of an unknown target song or video using a luminance meter or color sensor, respectively.
For audio, “we can create template luminance profiles by sampling the amplitudes in waveform audio files at 10 Hz, and converting them to absolute values,” said the researchers. “These template luminance-profiles serve as an approximate representation of how a audio-visualizing smart bulb will react.”
For video, they observed color-profile templates are created from a time-series of observed RGB values, recorded at a constant sampling rate.
Then, they matched the normalized luminance or color profile against a comprehensive reference library – 400 chart-topping songs in country, dance, jazz and rock; and 500 full-length movies released on Blu-ray in the last 10 years. The results yielded a 51 percent accuracy rate (and an 82 percent accuracy rate for inferring song genres).
For an attack to be successful, an adversary would need to be in a vantage position to observe the light emissions; and in addition to visual eavesdropping instruments, such as light and color sensors, he or she would need to create a comprehensive reference library of media items (songs and videos), and then have enough processing power on his or her computer to match the eavesdropped light patterns to items in the reference library in an automated fashion.
