Check Point security researchers have identified a smart bulb vulnerability Philips Hue which can lead an attacker to conduct an attack for take control of your home network of the victim. The vulnerability affects the use of the ZigBee protocol by Philips Hue bulbs.
Check Point informed Signify, the parent company of Philips Hue, sharing the details of the vulnerability and thus giving way to create a firmware that is already being distributed so that it is possible to update all the Philips Hue bulbs affected by the problem. In compliance with the protocol that Check Point adopts for the disclosure of security vulnerabilities, the full details of the vulnerability will be made public within the next few weeks to allow for the adequate dissemination and distribution of the corrective patch to users.
ZigBee a fairly widespread communication protocol in the IoT / smarthome environment and which allows devices to communicate easily with each other. CheckPoint explains that an attacker could use a ZigBee antenna and take control of a Philips Hue light bulb to simulate a malfunction and remove it from the network of devices, not before inserting malware into the light bulb itself. At this point if the user tries to bring the bulb back into the network using the Hue app, the malware can spread from the bulb to the Hue Bridge (the hardware control device of the various Philips Hue elements), which in turn connected to the home router. Once the malware reaches Hue Bridge, the attacker has the option of accessing the rest of the network with the possibility of further attacks.
Those who are in possession of Philips Hue bulbs are therefore advised to access the Hue app and check for updates and install them as soon as possible – although in most cases automatic updates may be active. The firmware version that addresses the vulnerability is 1935144040
Yaniv Balmas, researcher for Check Point Research, warns: "Many of us are aware that IoT devices can pose a security risk, but research shows that even the most ordinary and 'stupid' devices like light bulbs can be exploited by hackers and used to take over networks or install malware. "
It is currently unclear whether the same technique can be used to attack other Zigbee-based smart home devices, a protocol used, among others, by Amazon Echo Plus, Belkin WeMo and the Tradfri line of Ikea devices.