February 5, 2020

Philips Hue vulnerability turns smart bulbs into gateway for hackers

By Lucy Ingham

A vulnerability has been identified in the Philips Hue smart bulbs range that could be exploited by hackers to take over the networks of homes and businesses.

The vulnerability, which has been fixed via a patch issued by Philips, takes the form of a remote exploit in ZigBee, a low-power wireless protocol used in many internet of things (IoT) devices.

Discovered by Check Point Research, the vulnerability could enable a hacker to take control of a Philips Hue smart light bulb, and cause it to appear to ‘glitch’, prompting a user to attempt to fix the problem via their control app.

However, once they looked in the app, the user would find the bulb unreachable, the fix for which is to delete the bulb from the app and then rediscover it via Bridge, the control unit for Philips Hue smart bulbs.

But when the hacker-controlled smart bulb was re-added to the network, the hacker could then use the exploit in the ZigBee protocol to essentially flood the Bridge with data to trigger what is known as a buffer overflow. During this process, they could sneak malware onto the wider network the unit was connected to – and depending on the malware, could then spread ransomware or spyware.

Philips Hue vulnerability fixed in patch

The vulnerability in the Philips Hue range was discovered by researchers at Check Point, and it is not known whether any hackers made use of the exploit.

The company identified the flaw in November, and notified Philips and Hue-owner Signifiy, delaying reporting the discovery until the companies had developed and issued a patched firmware update. This was issued via an automatic update, but can also be downloaded on the Hue website.

“We are committed to protecting our users’ privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Check Point, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk,” said George Yianni, head of technology at Philips Hue.

Wider ZigBee vulnerabilities in IoT

While the research focused only on the Philips Hue range, as ZigBee is used in a wide range of IoT devices, it is quite likely that the exploit can be used on other products.

Product ranges that use ZigBee technology include Amazon Echo, Samsung SmartThings and Belkin WeMo, but brand-specific testing will need to be conducted to determine if these devices can also be exploited in this way.

The research also highlights how mundane IoT devices can pose a severe threat to home and office networks, yet can be easily overlooked.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, head of cyber research at Check Point.

“It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

Read more: UK government proposes stricter IoT security requirements