All Your Bulbs Are Belong to Us: Investigating the Current State of Security in Connected Lighting Systems

ZigBee Light Link (ZLL) is the low-power mesh network standard used by connected lighting systems, such as Philips Hue, Osram Lightify, and GE Link. These lighting systems are intended for residential use but also deployed in hotels, restaurants, and industrial buildings. In this paper, we investigate the current state of security in ZLL-based connected lighting systems. We extend the scope of known attacks by describing novel attack procedures to show that the ZLL standard is insecure by design. Using our penetration testing framework, we are able to take full control over all three systems mentioned above. Besides novel attack procedures, we also extend the intended wireless range of max. 2 meters for configuring a ZLL device to over 30 meters, thus making ZLL-based systems susceptible to war driving. We conclude with a discussion about the security needs of connected lighting systems and derive several lessons for Internet of Things security that can be learned from the insecure design of ZLL-based connected lighting systems.