Security researchers at Check Point have published details of vulnerabilities they have found in Philips Hue smart bulbs that could be exploited by hackers to compromise networks remotely.
The researchers were able to hijack control the IoT bulbs and install malicious firmware on it. With that beachhead in place they were then able to launch attacks to compromise the bulbs’ control bridge and then use an inventive method to attack the network:
The hacker-controlled bulb, containing the updated malicious firmware, uses a ZigBee protocol vulnerabiliy to cause a buffer overflow on the control bridge, and install malware onto the bridge as well.
As the bridge is connected to the targeted business or home network, the hacker is now able to infiltrate the network via the bridge, and achieve their goal – whether it be to install ransomware, spy, or steal information.
In short, the attack started at the bulb, travelled to the bridge, and ultimately ended up at the network.
A video made by the researchers demonstrates the attack in action.
The researchers informed the team Philip Hue team of the security vulnerabilities in November 2019, and patched firmware (version 1935144040) has since been made available.
Check Point’s research team, however, says it has delayed publishing full technical details of its discovery in order to allow more time for affected products to be updated.
Users are advised to ensure that their Hue System is fully updated by going to Settings -> Software Update -> Automatic Update in the Hue app.
Of course, it’s worth bearing in mind that the researchers only put the Philips Hue light bulbs under the microscope because they were market-leading IoT devices. There are, no doubt, countless other IoT devices which are likely to be just as vulnerable, if not more so, but simply haven’t yet had a spotlight shone on them.