IoT network flaw left Philips Hue bulbs open to attack

Researchers at cyber security firm Check Point have identified vulnerabilities in the ZigBee networking protocol that can be exploited to deliver ransomware or spyware to home networks by compromising the popular Philips Hue lightbulbs and their controllers.

The CVE-2020-6007 vulnerabilities can be exploited to infiltrate domestic networks using a remote exploit in the ZigBee low-power wireless networking protocol, which is widely in used by internet of things (IoT) devices.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or to plant malware,” said Yaniv Balmas, head of cyber research at Check Point.

Check Point’s researchers first explored vulnerabilities in Philips Hue devices in 2017, when they were able to take control of a Hue lightbulb, install malicious firmware on it, and propagate to adjacent lightbulb networks.

Although the propagation vulnerability was fixed at the time by Philips, attackers were still able to take over a target bulb. So, using this remaining vulnerability, Check Point’s team then went a step further and tried to use the bulb as a platform to take over the control bridge and attack the target’s standard home IP network.

In this scenario, the attacker (who must be located within range of the device) plays around with the colour or brightness settings to convince the target that the bulb is on the blink. The bulb appears as “unreachable” in the control app, so naturally the target will try to reset it.

However, the only way to do this is to delete the bulb from the control app and instruct the control bridge to try to find it again. The bridge duly does this, and the bulb rejoins the IoT network.

The hacker-controlled bulb, with updated firmware, then uses the ZigBee protocol vulnerability to trigger a heap-based buffer overflow on the bridge by bombarding it with data requests. This data also lets the hacker install malware on the bridge, which is connected to the target IP network.

With the malware installed and connected back to the hacker, the attacker can then infiltrate the target network from the bridge to spread ransomware or spyware using known exploits, for example EternalBlue.

Philips and Signify, which own the Hue brand, were informed of the vulnerability in November 2019 by Check Point’s Institute for Information Security (CPIIS), based at Tel Aviv University in Israel. A patched firmware update (1935144040) has since been made available to download on the website.

“It is critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware,” said Check Point’s Balmas.

“In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

George Yianni, head of technology at Philips Hue, added: “We are committed to protecting our users’ privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Check Point – it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”