Anindya Maiti from University of Texas at San Antonio has recently published a research paper on “Light Ears: Information Leakage via Smart Lights”. In his research paper, Maiti has disclosed that Multimedia preferences can be deduced and can be pivoted by leveraging the infrared capabilities of smart bulbs.
He used Philips Hue and LIFX smart lighting systems for his research. Smart Light Bulbs can be controlled by using a Remote Adversary such as Mobiles and Computers. The attack utilizes multimedia visualization capabilities for exfiltrating the multimedia preferences and infrared capabilities to pivot the data outside the Local Area Network.
Protocols used by Smart Light Bulbs :
LIFX and Zigbee ZLL are two most important protocols that probably any adversary would use to communicate with the lighting system. LIFX uses their own protocol whereas Philips Hue uses Zigbee for communication.
A Smart lighting system can perform has the potential of performing two important operations (varies with manufacturer). They are
- Audio Visualization
- Video Visualization
The lighting system can be configured with the LAN and can be controlled with respective devices which has the ability. Audio visualizing applications sends approximately 10 packets per second whereas video visualizing applications sends only one packet per second.
LIFX makes use of 802.11 access point. On the other hands, Philips hue makes use 802.15.4 (Zigbee). Both are very similar, excluding the fact that Philips uses an additional hub to translate TCP/IP packets to ZigBee light link packets.
LIFX is comprised of 4 components namely,
- Frame Header
- Frame Address
- Protocol Header
This is how LIFX sends its data over the network. The data regarding Hue, Brightness, and saturation levels are encapsulated into the payload part. In general, ll the colors can be represented using basic colors such as Red, Blue and green. The combination of this colors can be used to achieve any color.
HSB (hue, saturation, and brightness) is used as an alternate for RGB. The colors in Smart lighting bulbs are represented using this HSB. The RGB can be related with HSB as follows
Attack Scenario :
The attack can be carried out by sensing the output behavior displayed by the smart light bulb. For this, the researcher has developed an Adversary which is capable of performing the following functions
- Records the color pattern emitted by Smart Lightbulbs
- Recognizes the color pattern
- Matches with the inbuilt database containing the prior recognized patterns
- Leverages the infrared capabilities of smart bulbs and pivots it outside the local network to the attackers
The infrared lights are used in smart bulbs to help the CCTV cameras with night vision since not all the CCTV cameras are night vision compatible. The LIFX+ bulbs are capable of emitting infrared rays up to 950nm.
The brightness of these LIFX+ bulbs depends upon the input power supply. When the input power is zero, infrared will not be emitted and when input power is 65535, the infrared emittance is maximum.
To leverage this, the attacker has to have his malware implanted over the Local network that encodes the data and sends it back to the attacker. For this, the researchers used TSOP48 infrared sensor. Using this along with ATtiny85-based
Arduino board, they were able to record the data.
Result Analysis :
The researchers carried out this attack on both indoor and outdoor lighting conditions. Most accurate prediction results were given by indoor lighting conditions. Among 100 songs, 51 songs were predicted accurately which exhibits a 50% success rate.
The quality of the data ex-filtrated varies with distance. The smaller the distance, the higher the quality of data. For example, below is the image which is retrieved at a different distance after being sent by the Adversary.
To know more about this research, Download the research paper here.