On Nov. 2, 1988, a computer at the Massachusetts Institute of Technology was infected with one of the first-ever self-spreading viruses. A few hours later, one of every ten computers in the world that were connected to the internet got infected with that same malware, which has now come to be known as the Morris Worm.
Almost thirty years later, a group of researchers says they found a way to have a self-replicating worm spread through internet-connected lightbulbs, turning them them off, bricking them, or make them all turn on and off multiple times to disrupt the electric grid.
“A single infected lamp with a modified firmware which is plugged-in anywhere in the city can start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors within a range of up to a few hundred meters,” the researchers wrote in the paper.
In a paper published on Thursday, the researchers describe how ill-intended hackers could have taken advantage of flaws in the popular Philips Hue smart light bulb and the protocol they use for wireless connectivity to push a malicious firmware update and have it spread automatically from bulb to bulb. Last summer, the same researchers showed how they could hack Philips Hue lightbulbs from as far as 400 meters (around 435 yards) away outdoors, and 70 m (around 75 yards) inside, just by driving around or flying a drone equipped with off-the-shelf hardware.
Philips said in a statement that the company had already released a patch on October 4, and recommends all customers to install the patch through the Hue app. The company also downplayed the severity of the attack detailed by the researchers.
“We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” a Philips spokesperson said in an email.
“A single infected lamp […] anywhere in the city can start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors“
But Eyal Ronen, a PhD student at the Weizmann Institute of Science in Israel who worked on the research, told Motherboard that Philips has only patched the bug that allowed them to take over light bulbs from afar, but they can “still create the malicious updates” and theoretically spread them by infecting just one smart light bulb that’s close to others.
The worst-case scenario, as Ronen put it last summer, is a city-wide blackout. For now, this seems like a theoretical, far-fetched scenario, given that Philips Hue smart light bulbs aren’t that popular to blanket a city. But one day, if makers of Internet of Things devices don’t do their security homework, it could happen.
“We should work together to use the knowledge we gained to protect IoT devices,” the researchers concluded in the paper, “or we might face in the near future large scale attacks that will affect every part of our lives.”
Get six of our favorite Motherboard stories every day by signing up for our newsletter.