Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
How Many Light Bulbs to Hack a Network?- ThreatWire Crosspost (Patreon)
Downloads
Content
By Shannon Morse, ThreatWire
A joke among infosec folks has to do with hacking light bulbs to hack a network. And while this is funny, because it’s made at the behest of insecure smart IoT devices, we obviously never want it to be a reality. Unfortunately it could be a reality, if you don't update your firmware.
New research from Check Point shows how several high severity flaws affect Philips Hue Smart Light Bulbs, which could be exploited over the air from up to 100 meters away and used as a pivot point to gain access to other devices on a network. The vulnerability is listed as CVE-2020-6007, in which the Philips implementation of the Zigbee communications protocol in smart bulbs leads to buffer overflows. Zigbee is a wireless protocol used in many IoT devices, including Echos, Samsung SmartThings, and Philips Hue bulbs. Philips' implementation would let an attacker potentially infect the bulb and network devices with ransomware or malware simply with a capable laptop and an antenna that could transmit from 100 meters away. The attack occurs on the Hue Bridge via the bulb.
Check Point did not release code or a proof of concept, but they did release a video demoing the attack. In the video, the attacker takes over a bulb by using a previously known vulnerability that was discovered back in 2016. The attacker exploits that vulnerability, making it unreachable in the control app, which forces a user to reset the bulb and reconnect it. The bridge then connects to the hacked bulb, and when it’s reconnected through the bridge, the Zigbee protocol is exploited, triggering a buffer overflow. The bridge gets infected and can then be used to pivot to other devices.
While not tested, Check Point states this may not be limited to Hue bulbs, since the problem is due to the implementation of the Zigbee protocol. If other brands use Zigbee in the same way, they could be vulnerable as well.
In this case, Check Point alerted Philips and Signify (the brand behind Philips Hue) in November 2019, and a firmware patch was released last month. In order to update, click on the settings tab, scroll down to Software Update, and tap to see the firmware versions. If you’re already updated to version 1935144040, you’re fine. If not, click on each device in the app to update them manually. White checkmarks mean they are fully updated. Alternatively, turn on automatic updates in that same menu to ensure crucial patches are received in a timely manner.
Support me on alternative platforms! https://snubsie.com/support
Shop ThreatWire Merch! - https://snubsie.com/shop
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Links:
https://www.theverge.com/2020/2/5/21123491/philips-hue-bulb-hack-hub-firmware-patch-update
https://thehackernews.com/2020/02/philips-smart-light-bulb-hacking.html