Researchers have demonstrated an ability to compromise an IoT smart bulb, and then use malware from the internet-connected bulb to infiltrate the rest of a network — regardless of whether that is a home or office.
In 2016, earlier researchers were able to compromise Philips Hue lightbulbs with malicious firmware, and then propagate to other adjacent lightbulbs. The vendor was able to fix the propagation issue, but due to design issues was unable to fix the original vulnerability. Now researchers at Check Point have been able to use this initial vulnerability to compromise the lightbulb and use it as a platform to take over first the controlling bridge, and then — using vulnerabilities in the ZigBee communication protocol — to propagate to other devices on the network.
ZigBee is a communication protocol that allows different smart products from different manufacturers to communicate with each other. Common users of Zigbee include Amazon Echo Plus, Samsung SmartThings, Belkin WeMo, and many more smart home devices. The Philips Hue lightbulb transmits and receives messages using Zigbee, and uses a device known as the bridge to receive commands.
“Check Point’s researchers,” said the firm in a blog report, “showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities.”
In a scenario described by the researchers, the hacker would remotely compromise the lightbulb (it can be achieved with a laptop and antenna from over 100 yards distance) and make it misbehave so the user thinks there is a problem. According to the control panel, the bulb appears ‘unreachable’ and needs to be reset. If this is done, the bridge reaches out to the compromised bulb and adds it back into the network.
The hacker-controlled lightbulb can then use ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge by sending a large amount of data that can include malware. The malware connects back to the hacker. Since the compromised bridge connects to the rest of the network, the hacker can now use a known exploit, such as EternalBlue, to spread other malware such as ransomware or spyware to the network.
“Many of us are aware that IoT devices can pose a security risk,” said Yaniv Balmas, head of cyber research at Check Point, “but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware. It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
Check Point reported the issue to Philips and Signify (owner of the Philips Hue brand) in November 2019, but is not releasing full technical details of the hack until users have a chance to install the fix.
“We are thankful for responsible disclosure and collaboration from Check Point,” said George Yianni, head of technology at Philips Hue in a statement. “It has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”
Philips Hue is able to fix the vulnerability now (it couldn’t when it was first reported in 2017) through a joint effort by its own developers and the Check Point researchers. The solution uses Check Point technology acquired with the purchase of Cymplify, an Israeli startup founded in 2019, in November 2019. The protection modifies the existing firmware of the product and enforces Control-Flow-Integrity (CFI), preventing an attacker from hijacking the flow of the program. The proof-of-concept successfully blocked the exploit without any knowledge of the attack method used by the Check Point researchers, and without requiring any additional security device.
The patched firmware (Firmware 1935144040) is now available on the Philips Hue website, and it is recommended that users ensure that their product received the automatic update of this firmware version.