2 min read

How your network could be hacked through a Philips Hue smart bulb

Graham CLULEY

February 06, 2020

How your network could be hacked through a Philips Hue smart bulb

Security researchers at Check Point have published details of vulnerabilities they have found in Philips Hue smart bulbs that could be exploited by hackers to compromise networks remotely.

The researchers were able to hijack control the IoT bulbs and install malicious firmware on it. With that beachhead in place they were then able to launch attacks to compromise the bulbs’ control bridge and then use an inventive method to attack the network:

  1. The hacker controls the bulb”s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as “Unreachable” in the user”s control app, so they will try to “reset” it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.

The hacker-controlled bulb, containing the updated malicious firmware, uses a ZigBee protocol vulnerabiliy to cause a buffer overflow on the control bridge, and install malware onto the bridge as well.

As the bridge is connected to the targeted business or home network, the hacker is now able to infiltrate the network via the bridge, and achieve their goal – whether it be to install ransomware, spy, or steal information.

In short, the attack started at the bulb, travelled to the bridge, and ultimately ended up at the network.

A video made by the researchers demonstrates the attack in action.

The researchers informed the team Philip Hue team of the security vulnerabilities in November 2019, and patched firmware (version 1935144040) has since been made available.

Check Point’s research team, however, says it has delayed publishing full technical details of its discovery in order to allow more time for affected products to be updated.

Users are advised to ensure that their Hue System is fully updated by going to Settings -> Software Update -> Automatic Update in the Hue app.

Of course, it’s worth bearing in mind that the researchers only put the Philips Hue light bulbs under the microscope because they were market-leading IoT devices. There are, no doubt, countless other IoT devices which are likely to be just as vulnerable, if not more so, but simply haven’t yet had a spotlight shone on them.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read