Experimental Security Analyses of Non-Networked Compact Fluorescent Lamps: A Case Study of Home Automation Security

Temitope Oluwafemi, Tadayoshi Kohno, Sidhant Gupta, Shwetak Patel


Background. With a projected rise in the procurement of home automation systems, we experimentally investigate security risks that homeowners might be exposed to by compact fluorescent lamps (CFL), where the lamps themselves do not have network capabilities but are controlled by compromised Internet-enabled home automation systems. Aim. This work seeks to investigate the feasibility of causing physical harm—such as through the explosion of CFLs—to home occupants through an exploited home automation system. Method. We set up a model of a compromised automated home; placing emphasis on a connected Z-Wave enabled light dimmer. Four distinct electrical signals were then applied to two different brands of CFLs connected to a ZWave enabled light dimmer until they popped or gave way. Results. Three of ten CFLs on which we conducted our experiments popped, although not to the degree of explosions we expected. The seven remaining CFLs gave way with varying times to failure indicating process and design variations. We did find that it was possible to produce fluctuations at an appropriate frequency to induce seizures. We were also able to remotely compromise a home automation controller over the Internet. Due to timing constraints, however, we were only able to compromise the light bulbs via an adversary-controlled device using open-zwave libraries, and not via the compromised controller. Conclusions. Our results demonstrated that it will be hard for an attacker to use the described methods to harm homeowners, although we do demonstrate the possibility of attacks, particularly if the homeowner suffers from epilepsy. However, and more importantly, our work demonstrates that non-networked devices—such as light bulbs—might be connected to networked devices and hence can be attacked by remote adversaries