
IoT Goes Nuclear: Creating a ZigBee Chain Reaction - jgeralnik
http://iotworm.eyalro.net
======
jgeralnik
> The worm spreads by jumping directly from one lamp to its neighbors, using
> only their built-in ZigBee wireless connectivity and their physical
> proximity. The attack can start by plugging in a single infected bulb
> anywhere in the city, and then catastrophically spread everywhere within
> minutes, enabling the attacker to turn all the city lights on or off,
> permanently brick them, or exploit them in a massive DDOS attack

> To make such an attack possible, we had to find a way to remotely yank
> already installed lamps from their current networks, and to perform over-
> the-air firmware updates. We overcame the first problem by discovering and
> exploiting a major bug in the implementation of the Touchlink part of the
> ZigBee Light Link protocol, which is supposed to stop such attempts with a
> proximity test. To solve the second problem, we developed a new version of a
> side channel attack to extract the global AES-CCM key that Philips uses to
> encrypt and authenticate new firmware.

Fantastic work!

