This guy's light bulb performed a DoS attack on his entire smart house


The challenge of being a futurist pioneer is being Patient Zero for the future’s headaches.

In 2009, Raul Rojas, a computer science professor at the Free University of Berlin (and a robot soccer team coach), built one of Germany’s first “smart homes.” Everything in the house was connected to the Internet so that lights, music, television, heating and cooling could all be turned on and off from afar. Even the stove, oven, and microwave could be turned off with Rojas’s computer, which prevented some potential panic attacks about leaving an appliance on after exiting the house. One of the few things not connected in the house were the locks. Automated locks Rojas bought in 2009 are still sitting in a drawer waiting to be installed. “I was afraid of not being able to open the doors,” Rojas said in a phone interview.

When Rojas let local media tour the home after it was first built, they were wowed by the screen-controlled home—and the robots that vacuumed, patrolled the house and mowed the grass. But it wasn’t just a lab experiment. Rojas has actually lived in the two-story home in the outskirts of Berlin for the last five years.

One of the challenges of smart homes as they currently exist is that different manufacturers in the space use different protocols and standards that are not compatible. It’s like Mac vs. Windows or iOS vs. Android—but for many more devices, and with many other players. Rather than commit to one manufacturer, Rojas designed his home so that all of his devices connected to one main hub. “So when you activate a switch, a packet is sent to the hub and then the hub can send off a command to the relevant device,” explains Rojas.

About two years ago, Rojas’s house froze up, and stopped responding to his commands. “Nothing worked. I couldn’t turn the lights on or off. It got stuck,” he says. It was like when the beach ball of death begins spinning on your computer—except it was his entire home.

It wasn’t quite as bad as the “nightmare on connected home street” dreamed up by Wired last year, in which a fictional smart home’s obsolete technology gets loaded up with viruses and malware and starts misbehaving and uploading naked photos of its owner. Rojas—a professor who specializes in artificial intelligence—knows his way around a network well enough to cure his own home. And, when he investigated, it turned out that the culprit was a single, connected light bulb.

“I connected my laptop to the network and looked at the traffic and saw that one unit was sending packets continuously,” said Rojas. He realized that his light fixture had burned out, and was trying to tell the hub that it needed attention. To do so, it was sending continuous requests that had overloaded the network and caused it to freeze. “It was a classic denial of service attack,” says Rojas. The light was performing a DoS attack on the smart home to say, ‘Change me.'”

Rojas changed the bulb, which fixed the problem. But his issue points to other potential problems for homeowners who opt for connected devices.

“Of course, the bulb receptacle is not supposed to do this, but it happened,” said Rojas. “The technology for intelligent houses is still difficult to use and is the domain of geeks like me. It would have been horrible for a normal person. They would have torn down the wiring in the house trying to figure out what was wrong.”

The light fixture is not the only part of Rojas’s house to misbehave. His cleaning robots have also gone rogue on him periodically, waking him up at inconvenient hours to tidy his floors.

“At one point I had three cleaning robots from three different manufacturers,” Rojas said. “And every day one would fall off the stairs into the cellar and I would have to pick it up. Another would be stuck under the furniture. One from a German manufacturer decided when it wanted to clean; sometimes it would start at 3 a.m. and I would hear it from my bed.”

Between insomniac robots and angry lightbulbs, it’s clear that a smart home can also be a mischievous one.

* Headline change alert: I originally called this a DDoS — or distributed denial of service attack — but I should have called it a DoS — or denial of service — as there was only one computer launching the attack, not many.

Inline Feedbacks
View all comments
Share Tweet Submit Pin