Major aspects of our everyday life have gradually shifted to some degree of Internet access over the past couple of years. Smartphones and other gadgets are becoming essential. Bills to be paid? Those programmes are now online. Tax? Online. Bank statements and pay stubs? Time to go paperless. welfare services? For that, there is a login gateway. People, in short, require web access.
Many less important systems and services are also undergoing this transition, though. Additionally, if it contains a computer and is connected to the Internet, you can be sure that someone will eventually find a way to breach it. The time has come for internet-connected light bulbs to shine.
Shining a light on vulnerabilities
Researchers found two possible weaknesses in a well-known smart lighting system back in 2021. They were able to make the light bulbs flicker because of their vulnerability. The system could “forget” its configuration and turn all bulbs to the maximum in the worst-case situation. CVE-2022-39064 and CVE-2022-39065 describe these problems. The phrase “Blink once to assume control, blink a couple more times to complete a factory reset” is used here instead of the more common “Blink once for yes, blink twice for no.”
The victims of these possible attacks could restart their gateway. But there would be no protection against the attackers coming back at any point without it. Given that it “only” causes a light bulb to blink, some people might be wondering what the big deal is. Well, ramping up a person’s household to maximum lightbulb brightness over an extended period of time isn’t terrific in these eras of skyrocketing energy bill rates, to say the least.
There is, however, more to it than that. It shouldn’t be possible for unauthorized users to control the computer, whether it’s a server or a light bulb, without your consent. The only thing you can be certain of when they do is that your security has been compromised.
All software versions starting with 1.19.26 have a fix for the first CVE. The Record claims that CVE-2022-39064 “has not been adequately dealt with” and that there is no estimated time of arrival for a complete fix.
The winding road of IoT issues
Many people enjoy the concept of controlling every element of their home life through a single app or service, which is why the Internet of Things (IoT) is here to stay. Regrettably, some products or services are shoddy constructed and unsafe by design.
IoT gadgets may also pose new dangers. Some gadgets unintentionally give controlling persons new methods to annoy and mistreat their relationship or ex-partner, for instance.
Additionally, making equipment “smart” frequently entails making it reliant on a cloud service or Internet connection, which is OK until those things stop working. A 2020 Amazon cloud service outage was able to disable a variety of devices, including doorbells and vacuums, that had previously been unaffected.
In all likelihood, the genie is already out of the bottle. And manufacturers will keep adding “smart” features to everything from TVs to refrigerators. Because IoT failures can be far more significant than a little unauthorized light flashing. It’s critical that researchers and device tinkerers be able to investigate, discover, and report on any security risks. Hacker Sick Codes described how they gained access to a John Deere tractor and installed a copy of Doom in a recent Lock and Code episode.
What can you do in light of this, then?
First of all, handle any “smart” possessions you have as if they were simply another computer. Know how you’ll find out about security updates, as well as how to download and install them. Open a support chat with the manufacturer if you are unable to do so or if there are recognized issues that do not appear to have a solution.