Vulnerability in Philips Hue Smart Bulbs Uncovered by Security Researchers
An old vulnerability in Philips Hue smart lights that would have allowed hackers to worm their way into your network has been fixed.
The security flaw in the Zigbee communication protocol used by smart bulbs could have been used to launch attacks on conventional computer networks in homes and businesses, explains a new report from The Verge.
According to Check Point, hackers can exploit the Zigbee vulnerability by taking control of an older Hue bulb and making it turn on and off or change colour, in hopes of tricking the owner into thinking something’s amiss with the bulb.
If the user removes the bulb from the Hue app and re-pairs it to the bridge, the hackers can then use the compromised bulb to send a “heap-based buffer overload” to the bridge, essentially overwhelming it with data and paving the way for a malware attack on the user’s entire network, the Check Point report says.
Cybersecurity research firm Check Point Software breaks it down:
Continuing from where the previous research left off, Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices. With the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, the researchers were able to take control of a Hue lightbulb on a target network and install malicious firmware on it. From that point, they used the lightbulb as a platform to take over the bulbs’ control bridge, and attacked the target network as follows:
- The hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
- The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
- The bridge discovers the compromised bulb, and the user adds it back onto their network.
- The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
- The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
ZigBee is a widely used wireless technology designed to let each device communicate with any other device on the network. The protocol has been built into tens of millions of devices worldwide, including Amazon Echo, Samsung SmartThings, Belkin Emo, and more.
“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, Head of Cyber Research at Check Point Research.
“It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware,” he continued. “In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
Check Point reported the issue to Philips and Signify (owner of the Philips Hue brand) in November 2019, but is not releasing full technical details of the hack until users have a chance to install the fix.
“We are thankful for responsible disclosure and collaboration from Check Point,” said George Yianni, head of technology at Philips Hue in a statement. “It has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”