Check Point Research, the threat intelligence arm of CheckPoint Software Technolgies has revealed vulnerabilities that would enable a hacker to deliver ransomware or other malware to business and home networks by taking over smart lightbulbs and their controller.
During the company’s CPX 360 Vienna event this week, the researchers demonstrated how a bad actor could exploit an IOT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities.
They focused on the popular Philips Hue smart bulbs and bridge, and found vulnerabilities that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IOT devices.
In an analysis of the security of ZigBee-controlled smart lightbulbs published in 2017, researchers were able to take control of a Hue lightbulb on a network, install malicious firmware on it and propagate to other adjacent lightbulb networks.
Using this remaining vulnerability, Check Point researchers decided to take this prior work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately, attack the target's computer network.
It should be noted that more recent hardware generations of Hue lightbulbs do not have the exploited vulnerability.
Check Point
It should be noted that more recent hardware generations of Hue lightbulbs do not have the exploited vulnerability, the company says.
The attack plays out as follows: Firstly, the hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘unreachable’ in the user’s control app, so they will try to ‘reset’ it. However, the only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb. The bridge then discovers the compromised bulb, and the user adds it back onto their network.
The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
Finally, the malware connects back to the hacker and, using a known exploit (such as the notorious EternalBlue used in WannaCry), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
Yaniv Balmas, head of Cyber Research at Check Point Research, says while most people understand that IOT devices can pose a security risk, this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware.
“It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
The research was disclosed to Philips and Signify, who owns the brand, in November 2019. Signify confirmed the existence of the vulnerability in their product, and issued a patched firmware version (Firmware 1935144040) which is installed via an automatic update.
George Yianni, head of technology at Philips Hue, says his organisation is committed to protecting its users’ privacy and is doing everything to make its products safe.
“We are thankful for responsible disclosure and collaboration from Check Point. It has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk,” he adds.
Here is a demo video of how the attack works.
Share