All Your Bulbs Are Belong to Us: Investigating the Current State of Security in Connected Lighting Systems

TL;DR

This paper reveals significant security vulnerabilities in ZLL-based connected lighting systems, demonstrating how they can be fully compromised remotely and discussing broader IoT security implications.

Contribution

It introduces novel attack procedures that exploit inherent design flaws in ZLL, extending attack range and providing insights into IoT security challenges.

Findings

ZLL systems are insecure by design.

Full control of lighting systems is achievable remotely.

Attack range can be extended from 2m to over 30m.

Abstract

ZigBee Light Link (ZLL) is the low-power mesh network standard used by connected lighting systems, such as Philips Hue, Osram Lightify, and GE Link. These lighting systems are intended for residential use but also deployed in hotels, restaurants, and industrial buildings. In this paper, we investigate the current state of security in ZLL-based connected lighting systems. We extend the scope of known attacks by describing novel attack procedures to show that the ZLL standard is insecure by design. Using our penetration testing framework, we are able to take full control over all three systems mentioned above. Besides novel attack procedures, we also extend the intended wireless range of max. 2 meters for configuring a ZLL device to over 30 meters, thus making ZLL-based systems susceptible to war driving. We conclude with a discussion about the security needs of connected lighting systems and derive several lessons for Internet of Things security that can be learned from the insecure design of ZLL-based connected lighting systems.