The “Hue” is a popular range of smart lamps and bulbs from Philips, which comes with all kinds of fixtures and accessories for people to enjoy. However, with every smart thingy that we put in our home or office, we are introducing an attack surface for hackers to exploit. Check Point researchers have discovered that Philips Hue smart bulbs are vulnerable to CVE-2020-6007, which permits the exploitation of the ZigBee low-power wireless protocol and can potentially lead to the infiltration of networks via remote code execution.
In fact, a team from Check Point collaborated with researchers at Tel Aviv University to launch an attack against a Hue lightbulb, and they eventually managed to install malware on the network that was serving the target IoT. From that point, as they explain, it was easy to further infiltrate and take over the control bridge of the bulbs. The trick is to drop the bulb’s brightness and render it unreachable from the user’s control app. Attempting to fix the problem the user will most likely try to reset the lamp. Once they do, the hacker accesses the ZigBee protocol and triggers a heap-based buffer overflow exploit.
After this step, the hacker can install malware on the bridge, and finally infiltrate the home or office network. If the actor wants it, they can potentially spread ransomware or spyware to the connected devices, so a single flaw in a Philips lamp can lead to big problems. The following video from Check Point demonstrates how an attack of this type would work, and what the situation would look like. However, and to allow consumers plenty of time to update their firmware, the researchers have chosen not to provide any technical details or a proof of concept for this attack yet.
Philips and Signify (the firm responsible for the development of Hue products) were informed about the flaws quite a while back, and the problems were patched with firmware version 1935144040 which was released on January 13, 2020. Thus, if you’re using a Philips Hue lamp, you are advised to upgrade to the latest available firmware immediately as Check Point is planning to release the proof of concept (PoC) in the following weeks. This story goes to show that everything that is connected to the internet is a risk for the security of your network. One way to mitigate these risks is to set up a separate network for IoT devices or to disconnect them from the network when they’re not used.