Business and home networks can be hacked via smart lightbulbs.

Imagine how the use of smart lighting hubs such as Philips Hue or ZigBee could lead to a dark outcome: that of a business or home become a victim of ransomware or data breach via vulnerabilities in the lighting network. That could be possible if the firmware of the lighting network had not been frequently updated.

The attack scenario is as follows:

  1. The hacker controls the bulb’s colour or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb. 
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.
  4. The hacker-controlled bulb with updated firmware then uses the bulb network protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge–which is in turn connected to the target business or home network. 
  5. The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.

A threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Researchers from security firm Check Point Software Technologies focused on a market-leading brand such as Philips Hue smart bulbs and bridge, and in 2017, they had uncovered vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.

Their analysis of the security flaw was published in 2017, but researchers decided to take this prior work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately, attacking the target’s computer network. It should be noted that more recent hardware generations of Hue lightbulbs do not have the exploited vulnerability.

Said Yaniv Balmas, Head of Cyber Research, Check Point Research: “Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware. It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

The research, which was done with the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify subsequently confirmed the existence of the vulnerability in their product, and issued a patched firmware version (Firmware 1935144040) which is now via an automatic update. We recommend users to make sure that their product received the automatic update of this firmware version.

Said George Yianni, Head of Technology, Philips Hue: “We are committed to protecting our users’ privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Checkpoint, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk”. 

According to Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group, the vulnerability in the ZigBee protocol was addressed by the release of a patch on 13 Jan 2020. “Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.”

Checkpoint has indicated that the full technical research details of the vulnerability will be published at a later date in order to give users time to successfully patch their vulnerable devices.

With the recent acquisition of IoT cybersecurity firm Cymplify, Check Point claims to be the first vendor to provide a consolidated security solution that hardens and protects the firmware of IoT devices.