Philips Hue smart bulb allows hackers to attack your network
Owners of Philips Hue smart bulbs are being urged to check its firmware, after the publication of a vulnerability in how the accessories communicate with each other over Zigbee could allow an attacker to gain control over the whole home network.
Found by Check Point security researchers, the vulnerability was found in the Philips Hue bulbs' usage of Zigbee, a communication protocol that is used by a large number of smart home devices to communicate with each other. By attacking Zigbee, the attacker can take control of the Hue Bridge that connects the bulbs to the rest of the home network.
Using a Zigbee antenna, the would-be attacker can force one of the bulbs to be pushed off the smart home device network entirely, before putting malicious code into the bulb itself. If the user then tries to bring the suddenly faulty bulb live by re-pairing it in the Hue app, the malware can be spread from the bulb to the Hue Bridge, which in turn is connected to the router.
Once the malware reaches the Hue Bridge, the attacker can have access to the rest of the network, enabling further attacks to take place.
Check Point informed Philips Hue parent company Signify details of the attack, which has resulted in the creation of a firmware fix that will be rolled out to all affected Philips Hue bulbs. As per typical responsible disclosure protocol, Check Point will be issuing a full report on the vulnerability within a few weeks, after the patch has been given time to propagate to users.
Users are encouraged to open the Hue app to check for any available updates for the bulbs, and to install them as soon as possible, though many will find their devices will automatically install the updates. The latest firmware that patches the flaw is version 1935144040.
Head of cyber research at Check Point Research Yaniv Balmas warns "Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."
It is unclear if the same technique could be used to attack other Zigbee-based smart home devices, many of which could be controlled under Apple's HomeKit framework. Other prominent Zigbee users include the Amazon Echo Plus, Belkin's WeMo system, and the Ikea Tradfri collection.
Found by Check Point security researchers, the vulnerability was found in the Philips Hue bulbs' usage of Zigbee, a communication protocol that is used by a large number of smart home devices to communicate with each other. By attacking Zigbee, the attacker can take control of the Hue Bridge that connects the bulbs to the rest of the home network.
Using a Zigbee antenna, the would-be attacker can force one of the bulbs to be pushed off the smart home device network entirely, before putting malicious code into the bulb itself. If the user then tries to bring the suddenly faulty bulb live by re-pairing it in the Hue app, the malware can be spread from the bulb to the Hue Bridge, which in turn is connected to the router.
Once the malware reaches the Hue Bridge, the attacker can have access to the rest of the network, enabling further attacks to take place.
Check Point informed Philips Hue parent company Signify details of the attack, which has resulted in the creation of a firmware fix that will be rolled out to all affected Philips Hue bulbs. As per typical responsible disclosure protocol, Check Point will be issuing a full report on the vulnerability within a few weeks, after the patch has been given time to propagate to users.
Users are encouraged to open the Hue app to check for any available updates for the bulbs, and to install them as soon as possible, though many will find their devices will automatically install the updates. The latest firmware that patches the flaw is version 1935144040.
Head of cyber research at Check Point Research Yaniv Balmas warns "Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."
It is unclear if the same technique could be used to attack other Zigbee-based smart home devices, many of which could be controlled under Apple's HomeKit framework. Other prominent Zigbee users include the Amazon Echo Plus, Belkin's WeMo system, and the Ikea Tradfri collection.
Comments
It is also clearly on Apple's radar, as given by the introduction of HomeKit-Routers by Craig Federighi during the June 2019 keynote, where he pretty much described this exact scenario.
That said, if it makes me a Luddite to reject light bulbs that feature a need for firmware, then I'll just have to accept the characterization.
Many of the IOT devices currently available have been rushed to market with little concern for security. Many manufacturers find that it is not possible to add HomeKit support to their products without more or less starting again from scratch.
If we choose devices that have native and direct support for HomeKit we can be reasonably confident that it meets a minimum standard for security. I would avoid devices that use some kind of “bridge” or “gateway” to work with HomeKit or that create their own radio network such as Zigbee.
PS: I'm no longer seeing the options to Like a comment or say it's informative with a single click. I hope that's temporary, and not a administrative decision.
I can appreciate the potential usefulness of maybe a fridge having product tracking and whatnot, but I also have known for a VERY long time that the computer industry can not be trusted to make anything reliable.
If it is a general purpose computer inside, if it requires software maintenance, and ESPECIALLY if it requires connection to a computer of some kind to be functional, it’s automatically a thing I presume will be useless in a couple years... or worse: garbage on day one. Or even worse than garbage: dangerous.
This whole industry has been like this forever. It seems that only the people who don’t see tech/computers as an end of their own can actually see the scale of this problem. It’s a systemic and pervasive culture of acceptance of broken shit, and defending the broken shit with memes like “you’re too ignorant about technology to understand why everything has bugs”. It’s not an inherent function of technology to be broken. It is a culture of acceptance (and often worship).
Web based passwords are my only concern... these things are not.