Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:25 PM
Connect Directly

Researchers Reveal How Smart Lightbulbs Can Be Hacked to Attack

New exploit builds on previous research involving Philips Hue Smart Bulbs.

Most people installing smart lightbulbs in their homes or offices are unlikely to see the devices as providing a potential entry point for cybercriminals into their networks. But new research from Check Point has uncovered precisely that possibility.

In a report released this week, researchers described how attackers could break into a home- or office network and install malware, by exploiting a security flaw in a communication protocol used in Philips Hue Smart Bulbs on the network.

"From our perspective, the main takeaway from this research is emphasizing that IoT devices, even the most simple and mundane ones, could be attacked and taken over by attackers," says Eyal Itkin, security researcher at Check Point.

Check Point's exploit builds on previous work from 2017 where researchers showed how they could take complete control of a large number of Philips Hue smart bulbs—such as those that might be deployed in a modern city—by infecting just one of them. Philips since has addressed the vulnerability that allowed malware to propagate from one infected smart bulb to the next.

But another implementation issue that allows attackers to take control of a Philips Hue smart bulb and install malware on it via an over-the-air firmware update, has not been fixed. Check Point researchers found that by exploiting that issue—and another security vulnerability they discovered in the Zigbee implementation of the Philips Hue smart-bulb control-bridge (CVE-2020-6007)—they could launch attacks on the network to which the bridge is connected.

Zigbee is a widely used smart-home protocol. Multiple other smart home products use the protocol including Amazon Echo, Samsung SmartThings, and Belkin WeMo. With Philips Hue smart bulbs, the bridge uses Zigbee to communicate with and control the bulb. But there are other smart bulbs that don't require a bridge at all and instead operate over Bluetooth or WiFi and are managed through a Zigbee-capable digital assistant.

"The attack grants the attacker access to the computer network to which the bridge is connected," Itkin says.

In a home scenario, an attacker could use the exploit to spread malware or to spy on home computers and other connected devices. "In an office environment, it would probably be the first step in an attempt to attack the organization, steal documents from it, or prepare a dedicated ransomware attack on sensitive servers inside the network," he says.

In Check Point's attack, the researchers first took control of a Philips Hue lightbulb, using the previously discovered vulnerability from 2017, and installed malicious firmware on it. They then demonstrated how an attacker could control the lightbulb—by constantly changing its colors, and its brightness for instance—to get users to delete the errant bulb from their app and reset it.

When the control bridge rediscovers the bulb and the user adds it back to their network, the malicious firmware exploits the Zigbee protocol vulnerability on it to install malware on the bridge. The malware then connects back to the attacker and using a known exploit—like EternalBlue—the attackers can then infiltrate the target network from the bridge, Check Point said.

Complex But Exploitable Flaw

The exploit only works if a user deletes a compromised bulb and instructs the control bridge to re-discover it: "Without the user issuing a command to search for new lightbulbs, the bridge won't be accessible to our now-owned lightbulb, and we won't be able to launch the attack," Itkin says.

Specifically, the vulnerability Check Point discovered is only accessible when the bridge is adding or commissioning a new lightbulb to the network, he says.

The vulnerability that Check Point discovered is rated as "complex" to exploit because of the tight constraints in the Zigbee protocol around message sizes and timing. An attacker must be relatively close to the target network in order to take initial control of a bulb.

The 2017 research showed how attackers could take control of a user's Philips Smart Hue lightbulb from over 1,300 feet (400m). If launched from a distance, the attack requires a directed antenna and sensitive receiving equipment to intercept Zigbee messages between the bulb and control bridge, Itkin says. "In a classic scenario, the attack could be performed from a van that parks down the street."

Check Point n November 2019 notified Philips and Signify, which owns the Hue brand, about the threat it found. Signify has issued a patch for the flaw, which is now available on their site. "The Philips Hue Bridge has automatic updates by default and the firmware should be downloaded and installed automatically," Itkin notes. They should also check the mobile app and verify that the firmware version has been updated to 1935144040, he says.

Pavel Novikov, head of the telecom security research team at Positive Technologies, says security in the Zigbee protocol is implemented via mandatory encryption. But when a device is connected to the Zigbee hub for the first time, there is a moment when encryption is not used, and the device and network are vulnerable to interception.

"Unfortunately, this architectural vulnerability cannot be fixed," he says. All users can do is be aware of it and take pay attention when devices are paired. "If your device has dropped out of the network, don't rush to bind it again, because this could be the start of a hacker attack."

For enterprise organizations, Check Point's research is another example of how IoT is continuing to expand the attack surface, said Mike Riemer, global chief security architect at Pulse Secure. "Many IoT devices have open default settings and require configuration and patch hygiene," he said. Organizations need to implement a Zero Trust approach to security and ensure that all connected devices are visible, verified, properly monitored, and segregated, he said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Is a Privileged Access Workstation (PAW)?."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...