- A+
A team of researchers has developed a couple of apps that take advantage of the functionalities of smart bulbs for data leaking一组研究人员开发了一些应用程序,这些应用程序利用智能灯泡的功能来进行数据泄露
Researchers from a cybersecurity and digital forensics firm developed two mobile applications that exploit the characteristics of smart bulbs for data exfiltration, as reported by experts from the International Institute of Cyber Security.据国际网络安全研究所的专家报告,来自网络安全和数字取证公司的研究人员开发了两种利用智能灯泡特性进行数据泄露的移动应用程序。
The experts used the Magic Blue smart bulbs , which feature the communication via Bluetooth 4.0.专家们使用了Magic Blue 智能灯泡 ,它通过蓝牙4.0进行通信。 The devices are manufactured by a Chinese company, called Zengge and can be controlled by Android and iOS applications.这些设备由一家名为Zengge的中国公司制造,可以通过Android和iOS应用程序进行控制。 The company has important clients, such as Philips, among others.该公司拥有重要客户,如飞利浦等。
Digital forensics specialists focused their study on devices that use the Low-Energy Attribute Protocol (ATT) to establish communication.数字取证专家将他们的研究重点放在使用低能量属性协议(ATT)建立通信的设备上。
The first test carried out by the experts consisted in detecting the communication between the smart bulbs and the pairing mobile app.专家进行的第一次测试包括检测智能灯泡和配对移动应用之间的通信。 The pairing method used by researchers is Just Works .研究人员使用的配对方法是Just Works 。
Digital forensics experts paired a mobile phone with an Android operating system with the iLight application and began detecting traffic while using the smart bulb's color-changing feature. 数字取证专家将手机与带有iLight应用程序的Android操作系统配对,并在使用智能灯泡的变色功能时开始检测流量。
In this way, the research team found the commands sent by the mobile application to the smart bulbs.通过这种方式,研究团队找到了移动应用程序发送给智能灯泡的命令。 The computer reverse-engineered the mobile application using a tool called JADX .计算机使用名为JADX的工具对移动应用程序进行了逆向工程。
Once they got full control over the device, the specialists began to develop an app that takes advantage of the smart bulbs light to transfer information between the compromised device and the attacker.一旦他们完全控制了设备,专家就开始开发一款应用程序,利用智能灯泡灯在受感染设备和攻击者之间传输信息。
In their proof-of-concept report, the specialists mentioned: “Our plan for data exfiltration was to use the light of these devices as a mean for transferring information from the compromised device to the attacker's location.专家们在他们的概念验证报告中提到:“我们的数据泄露计划是利用这些设备的光线,将信息从受感染的设备传输到攻击者的位置。 Light reaches wider distances, which was our main goal.”光线到达更远的距离,这是我们的主要目标。“
“Let's imagine the next scenario: a BLE smartphone gets compromised with some malware variant to steal the user's credentials. “让我们想象下一个场景:BLE智能手机受到某些恶意软件变种的攻击,以窃取用户的凭据。 Stolen information could be sent to an attacker using a BLE smart bulb in a nearby location.” In their attack, the experts used a smartphone connected to a telescope to receive the leaked data without raising the user's suspicion.可以使用附近位置的BLE智能灯泡向被攻击者发送被盗信息。“在他们的攻击中,专家们使用连接到望远镜的智能手机接收泄露的数据,而不会引起用户的怀疑。
It was necessary to create two apps for data leaking, one was installed on the victim's smartphone, and the other on the attacker's mobile device to receive and interpret the leaked data.有必要创建两个数据泄漏应用程序,一个安装在受害者的智能手机上,另一个安装在攻击者的移动设备上,以接收和解释泄露的数据。
“We created two applications, the first to send the leaked data and the second one to receive them. “我们创建了两个应用程序,第一个发送泄漏的数据,第二个接收它们。 The application that transmits the information changes the intensity of the blue light on the smart bulb.传输信息的应用程序改变智能灯泡上蓝光的强度。 The app has two modalities: normal mode and silent mode.该应用程序有两种形式:正常模式和静音模式。 The first can be visible to the human eye, but the silent mode is very difficult to detect due to the variations of the shades of blue used,” the experts mentioned.第一个可以被人眼看到,但是由于所使用的蓝色阴影的变化,非常难以检测到静音模式,“专家提到。
“These methods are functional in every smart bulb that allows an attacker to take control of them. “这些方法在每个允许攻击者控制它们的智能灯泡中都起作用。 In the future, we would like to create a better proof of concept that allows us to test a database of vulnerable smart bulbs, we have also considered the implementation of artificial intelligence to learn about other classes of smart bulbs,” the experts concluded.在未来,我们希望创建一个更好的概念证明,使我们能够测试易受攻击的智能灯泡的数据库,我们还考虑了人工智能的实施,以了解其他类型的智能灯泡,“专家总结道。
