Security researchers with Checkmarx developed two mobile applications that exploit smart bulbs features for data exfiltration.
The experts used the Magic Blue smart bulbs that implement communication through Bluetooth 4.0. The devices are manufactured by the Chinese company called Zengge and could be controlled using both Android and iOS apps.
The company supplies major brands like Philips and Osram etc.
The experts focused their study on devices using the Low Energy Attribute Protocol (ATT) to communicate.
The first test made by the experts consisted of sniffing communication between the smart bulbs and the paired Mobile Application. The pairing method used by the researcher is Just Works.
The experts paired the Android mobile phone with the iLight app and started sniffing the traffic while changing the colors of the smart bulbs.
In this way, the researchers discovered the commands sent by the mobile app to the smart bulbs. The team made a reverse engineering of the Mobile Application using the jadx tool.
Once gained the complete control of the bulbs, experts started working on an application that leverages the light of the bulbs to transfer information from a compromised device to the attacker.
“The main plan for exfiltration was to use light as a channel to transfer information from a compromised device to the attacker. Light can achieve longer distances, which was our goal.” reads the analysis published by the experts.
“Imagine the following attack scenario: a BLE device (smartphone) gets compromised with malware. The malware steals the user’s credentials. The stolen information is sent to an attacker using a BLE light bulb nearby.”
Checkmark experts used a smartphone connected to a telescope to receive the exfiltrated data without raising suspicion.
The researchers created two applications for the data exfiltration, one installed on the victim’s mobile device and the other users on the attacker’s mobile device to receive and interpret the data.
The application installed on the victim’s device modulates the light intensity to transfer data, it runs in either Normal or Stealth mode. The Stealth mode is hard to detect to the victim’s eye because it uses the shades of blue.
“We created two apps, the first app for sending the exfiltrated data and a second one for receiving it. The app that transmits the information changes the blue light intensity – weaker for binary 1 and stronger for binary 0. The app has two options: Normal mode and Stealth mode. The first one may be visible to human-eye and the stealth mode is very hard to detect because of the variations of shades of blue used.” continues the experts.
Below a video PoC created by the experts.
“These methods will work on every smart bulb that allows control by an attacker. In the future, we would like to create a better proof of concept that allows us to test a database of vulnerable bulbs and even implement AI to learn and implement new bulbs along the way,” Checkmarx concludes.
(Security Affairs – data exfiltration, smart bulbs)