Researchers discover security flaws in smart home products

September 5, 2017, University of Erlangen-Nuremberg
Credit: Philipp Morgner

Smart home products such as lamps controlled via mobile devices are becoming ever more popular in private households. We would, however, feel vulnerable in our own four walls if strangers suddenly started switching the lights in our homes on and off. Researchers at the IT Security Infrastructures group, Friedrich-Alexander University Erlangen-Nürnberg (FAU) have discovered security problems of this nature in smart lights manufactured by GE, IKEA, Philips and Osram.

Philipp Morgner and Zinaida Benenson's team managed to make connected lighting systems of different manufacturers flash for several hours with a single radio command sent from a distance of more than 100 metres away. Additionally, they were able to modify the bulbs using radio commands so that the user was unable to control them. It was even possible in certain situations change the colour or brightness of the light.

Inadequate security features

The FAU researchers discovered the in ZigBee, an important wireless standard employed for the control of smart home products. More than 100 million products that use ZigBee technology are estimated to have been distributed around the world. The most recent version, ZigBee 3.0, was released in December 2016. Part of this specification includes the touchlink commissioning procedure for adding new devices to an existing smart home network or to set up a new network. The team was able to demonstrate that the security features of touchlink commissioning are inadequate and make it vulnerable to attack. It is probable that other applications based on ZigBee that are relevant to security, such as heating systems, door locks and alarm systems, will also be affected in the future.

Manufacturers react to security risk

The research team recommended disabling touchlink commissioning in all future ZigBee 3.0 products. Some manufacturers have already reacted and made an update available to customers that significantly reduces the risk of an attack. The latest information is published on the a website.

The IT Security Infrastructures group focuses on IT security in the context of the Internet of Things. The researcher's findings show that most manufacturers consider to be less important than functionality and compatibility requirements. That is why the team has decided to identify vulnerabilities to motivate manufacturers to develop better measures.

Explore further: Smart electrical grids more vulnerable to cyber attacks

Related Stories

Smart electrical grids more vulnerable to cyber attacks

August 16, 2017

Electricity distribution systems in the USA are gradually being modernized and transposed to smart grids, which make use of two-way communication and computer processing. This is making them increasingly vulnerable to cyber ...

Smart homes need to start treating their inhabitants better

April 20, 2016

We might still be some way from coming home to robots doing the cooking and cleaning for us, but the age of widespread home automation has arrived. More and more people now have "intelligent" versions of devices like thermostats ...

Recommended for you

Semimetals are high conductors

March 18, 2019

Researchers in China and at UC Davis have measured high conductivity in very thin layers of niobium arsenide, a type of material called a Weyl semimetal. The material has about three times the conductivity of copper at room ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.