Most people installing smart lightbulbs in their homes or offices are unlikely to see the devices as providing a potential entry point for cybercriminals into their networks. But new research from Check Point has uncovered precisely that possibility.
In a report released this week, researchers described how attackers could break into a home- or office network and install malware, by exploiting a security flaw in a communication protocol used in Philips Hue Smart Bulbs on the network.
"From our perspective, the main takeaway from this research is emphasizing that IoT devices, even the most simple and mundane ones, could be attacked and taken over by attackers," says Eyal Itkin, security researcher at Check Point.
Check Point's exploit builds on previous work from 2017 where researchers showed how they could take complete control of a large number of Philips Hue smart bulbs—such as those that might be deployed in a modern city—by infecting just one of them. Philips since has addressed the vulnerability that allowed malware to propagate from one infected smart bulb to the next.
But another implementation issue that allows attackers to take control of a Philips Hue smart bulb and install malware on it via an over-the-air firmware update, has not been fixed. Check Point researchers found that by exploiting that issue—and another security vulnerability they discovered in the Zigbee implementation of the Philips Hue smart-bulb control-bridge (CVE-2020-6007)—they could launch attacks on the network to which the bridge is connected.
Zigbee is a widely used smart-home protocol. Multiple other smart home products use the protocol including Amazon Echo, Samsung SmartThings, and Belkin WeMo. With Philips Hue smart bulbs, the bridge uses Zigbee to communicate with and control the bulb. But there are other smart bulbs that don't require a bridge at all and instead operate over Bluetooth or WiFi and are managed through a Zigbee-capable digital assistant.
"The attack grants the attacker access to the computer network to which the bridge is connected," Itkin says.
In a home scenario, an attacker could use the exploit to spread malware or to spy on home computers and other connected devices. "In an office environment, it would probably be the first step in an attempt to attack the organization, steal documents from it, or prepare a dedicated ransomware attack on sensitive servers inside the network," he says.
In Check Point's attack, the researchers first took control of a Philips Hue lightbulb, using the previously discovered vulnerability from 2017, and installed malicious firmware on it. They then demonstrated how an attacker could control the lightbulb—by constantly changing its colors, and its brightness for instance—to get users to delete the errant bulb from their app and reset it.
When the control bridge rediscovers the bulb and the user adds it back to their network, the malicious firmware exploits the Zigbee protocol vulnerability on it to install malware on the bridge. The malware then connects back to the attacker and using a known exploit—like EternalBlue—the attackers can then infiltrate the target network from the bridge, Check Point said.
Complex But Exploitable Flaw
The exploit only works if a user deletes a compromised bulb and instructs the control bridge to re-discover it: "Without the user issuing a command to search for new lightbulbs, the bridge won't be accessible to our now-owned lightbulb, and we won't be able to launch the attack," Itkin says.
Specifically, the vulnerability Check Point discovered is only accessible when the bridge is adding or commissioning a new lightbulb to the network, he says.
The vulnerability that Check Point discovered is rated as "complex" to exploit because of the tight constraints in the Zigbee protocol around message sizes and timing. An attacker must be relatively close to the target network in order to take initial control of a bulb.
The 2017 research showed how attackers could take control of a user's Philips Smart Hue lightbulb from over 1,300 feet (400m). If launched from a distance, the attack requires a directed antenna and sensitive receiving equipment to intercept Zigbee messages between the bulb and control bridge, Itkin says. "In a classic scenario, the attack could be performed from a van that parks down the street."
Check Point n November 2019 notified Philips and Signify, which owns the Hue brand, about the threat it found. Signify has issued a patch for the flaw, which is now available on their site. "The Philips Hue Bridge has automatic updates by default and the firmware should be downloaded and installed automatically," Itkin notes. They should also check the mobile app and verify that the firmware version has been updated to 1935144040, he says.
Pavel Novikov, head of the telecom security research team at Positive Technologies, says security in the Zigbee protocol is implemented via mandatory encryption. But when a device is connected to the Zigbee hub for the first time, there is a moment when encryption is not used, and the device and network are vulnerable to interception.
"Unfortunately, this architectural vulnerability cannot be fixed," he says. All users can do is be aware of it and take pay attention when devices are paired. "If your device has dropped out of the network, don't rush to bind it again, because this could be the start of a hacker attack."
For enterprise organizations, Check Point's research is another example of how IoT is continuing to expand the attack surface, said Mike Riemer, global chief security architect at Pulse Secure. "Many IoT devices have open default settings and require configuration and patch hygiene," he said. Organizations need to implement a Zero Trust approach to security and ensure that all connected devices are visible, verified, properly monitored, and segregated, he said.