Hackers used a drone to target a set of Philips light bulbs in an office tower, infecting the bulbs with a virus that let the attackers turn the lights on and off, and flash an “SOS” message in Morse code.
The attack, described in a new research paper published this week, relied on a weakness in a common wireless radio protocol called ZigBee that Philips (PHG) uses to make its Hue light bulbs part of an online network. The revelation comes at a time of growing concern over how the so-called Internet of things, in which ordinary devices are controlled via an online network, can turn hostile.
As the researchers explain, ZigBee contains a flaw that can allow hackers to infect a lightbulb with a virus, which then spreads to other bulbs in the network. Their research includes a video of a drone with a USB stick that hovers near Philips light bulbs in order to take control of them, and forces them to blink on and off.
News of the ZigBee vulnerability is not new. Other researchers described the potential for such an attack last year, but this week’s report, titled “IoT Goes Nuclear,” is the first evidence of such an attack being carried out in practice.
The report’s authors, who work at universities in Canada and Tel Aviv, warn that hackers could use control over the light bulbs to plunge a whole city into darkness, or use them to launch attacks on other parts of the Internet:
The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
The researchers say they informed Philips Lighting about the vulnerability, and that the company responded by fixing it.
Get Data Sheet, Fortune’s technology newsletter.
“We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” a Philips spokesperson told the New York Times, which first reported the research.
Meanwhile, consumers and product manufacturers are still coming to terms with a massive Internet of things attack last month in which hackers hijacked millions of connected devices in order to cut off access to popular websites like Twitter and Amazon.
