New research from Check Point shows how business and home networks can be hacked from a lightbulb, an unpatched Philips Hue smart bulb, to be precise.
Everyone is familiar with the concept of IoT, the Internet of Things, but how many of you have heard of smart lightbulbs? By using a mobile app, or your digital home assistant, you can control the light in your house and even calibrate the color of each lightbulb! These smart lightbulbs are managed over the air using the familiar WiFi protocol or ZigBee, a low bandwidth radio protocol. Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and attack even more appealing targets, such as the computer network in our homes, offices or even our smart city?
And the answer is: Yes… Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.
With the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, the researchers were able to take control of a Hue lightbulb on a target network and install malicious firmware on it. From that point, they used the lightbulb as a platform to take over the bulbs’ control bridge, and attacked the target network
MacDailyNews Take: This Philips Hue smart bulb hack is why Amazon, Apple, Google, Zigbee Alliance have joined forces to develop a a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet.
Check Point’s research was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify issued firmware patch (Firmware 1935144040) which is now available on their site here. Philips Hue smart bulb users should make sure their firmware is up-to-date.