Personal conveniences and environmental benefits aside, the Internet of Things is a hackers' paradise.

As the New York Times reports, Researchers at Israel's Weizmann Institute of Science and Dalhousie University in Canada recently uncovered a flaw in a wireless technology often used in smart home devices, including Philips Hue smart light bulbs.

The new risk stems from radio protocol ZigBee, a wireless communications standard widely used in home consumer devices—especially smart light bulbs. Researchers found that the nearly two-decade-old standard can be used to create a computer worm to spread malicious software.

The few lights you have installed in your house are unlikely targets. But imagine a city with thousands of Internet-connected bulbs illuminating neighboring buildings. An attack could "spread explosively over large areas in a kind of nuclear chain reaction," according to the research paper published this week.

Researchers tested their theory in two takeover attack demos, causing lights to flicker at a range of more than 230 feet while driving and from 0.2 miles while via a flying drone (video above).

The scientists notified Philips Lighting of the vulnerability, offering suggestions for a fix; the company has since issued an over-the-air patch.

Philips Smart Lights Hacked Using a Drone

"Philips Hue products were not and have not been infected by a virus," the company said in a statement. "Researchers contacted us in the summer about a potential vulnerability and we patched it before the details of findings were disclosed publicly. At no time was a virus created or used to infect any Philips Hue products."

Researchers, according to Philips, "merely demonstrated the possibility of an attack. They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us to develop and roll out the software update."

ARM on IoT Security: 'You Need to Worry About This'

Philips urged customers to install the latest software update via the Philips Hue app, even though the "risk to Philips Hue products as low."

All it takes is a single infected bulb to allow a worm to spread, and within minutes a hacker can turn blocks of lights on or off, permanently brick them, or exploit them in a DDoS attack—like the one that knocked popular Web services offline last month. In that case, the Mirai botnet—which scours the Web for poorly protected IoT-connected devices and enlists them to overwhelm a target with online—ambushed DNS provider Dyn, causing a major outage across the globe.

Editor's Note:This story was updated at 3:30 p.m. ET with comment from Philips.

Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.


This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!