A Philips Hue vulnerability allows a hacker to take control of individual bulbs, switching them on or off at will, as well as changing both color and brightness. This can be done remotely using a laptop with radio transmitter. You can watch a demonstration video below.
While that risk remains, the company has acted to block an escalation vulnerability that previously allowed the attacker to compromise the Hue bridge and from there the rest of the network, including any PCs connected to it…
The vulnerability was discovered in the Zigbee communication protocol used by Philips Hue bulbs and other smart home devices. Zigbee is also used by Amazon Echo Plus, Samsung SmartThings, Belkin WeMo, Hive Active Heating and accessories, Yale smart locks, Honeywell thermostats, Bosch Security Systems, Ikea Tradfri, Samsung Comcast Xfinity Box, and more.
Check Point security researchers discovered a way to escalate the attack from the control of a single bulb to take over the entire network. The escalation works like this:
- The attacker uses the original vulnerability to take control of one bulb
- The user sees random behavior and is also unable to control the bulb themselves
- The obvious troubleshooting step is to delete the bulb and scan for it again, re-adding it
- Re-adding it now gives malware in the bulb access to the Hue bridge
- From there, it can propagate, including to connected PCs
Once the attacker has access to a connected PC, they can install things like key-loggers and ransomware.
Check Point, of course, did the responsible thing, disclosing its findings to Signify, the owner of the Philips Hue brand. A patch is now available. Users are advised to check the Hue app to see if any updates are available and to install them if so.
Note that the original vulnerability, allowing control of individual bulbs, cannot be patched, as this would involve a hardware change to the bulbs themselves. But installing the update will ensure it cannot spread to other devices on your network.
Check Point says that it is especially important for businesses with Hue bulbs to protect themselves.
“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, Head of Cyber Research at Check Point Research. “It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex cyber attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
Philips Hue thanked Check Point for the responsible disclosure.
You can watch the video demo below.
FTC: We use income earning auto affiliate links. More.