It’s one of the most chilling lines from the movies of the 20th century. My namesake and hometown hero Sir Laurence Olivier repeatedly asked Dustin Hoffman “Is it safe?” while torturing him in a dentist’s chair in the movie classic Marathon Man.
Hoffman’s character’s problem was that he didn’t know what “it” was. So how could he answer?
The recent story that reminded me of this particular movie scene was one from the world of cybersecurity. And it’s a story that just goes to show that in today’s IoT world, that unsafe “it” could be almost anything.
It seems that last year, hackers from Check Point Research (fortunately the “good guys”) found that there were vulnerabilities in the ZigBee wireless protocols used to control a very mundane object – a smart lightbulb.
The lamp in question, the Philips Hue, offers users the ability to control not only the brightness but also the colour of the illumination from a wirelessly connected control bridge.
The Check Point hackers went on to demonstrate that it would be relatively easy for a malicious actor to take control of one of these devices wirelessly from anything up to 100m away.
Once in control of the lightbulb, they simulated a malfunction in the lamp while injecting malicious code that could be used to take over the control bridge for the lighting network once the user had rebooted the lamp to clear the fault.
Once the control bridge had been taken over, they could than target any connected computer network.
This would give them the opportunity to inject malware, ransomware and any other form of mischief into computers that might later be connected to a work network, or even a control system.
So could a compromised lightbulb shut down a production line? It hardly seems likely, but it is certainly possible.
Needless to say, the Check Point team revealed their findings to the manufacturer of the lightbulbs, which closed the loophole and issued a firmware security patch that would be automatically uploaded to all devices in the field.
While that particular vulnerability has been resolved, it does go to show exactly how a security weak point in any connected device – however insignificant – could be exploited to attack major IT and OT assets.
With more and more devices joining the Internet of Things each day, we really should all be asking ourselves “Is it safe?”… just as soon as we can work out what “it” is.