Hacked from a Lightbulb

Hacked from a Lightbulb thumbnail

Everyone is familiar with the concept of IoT, the Internet of Things, but how many of you have heard of smart lightbulbs? By using a mobile app, or your digital home assistant, you can control the light in your house and even calibrate the color of each lightbulb! These smart lightbulbs are managed over the air using the familiar WiFi protocol or ZigBee, a low bandwidth radio protocol.

Back in 2017, a team of academic researchers showed how they can take over and control smart lightbulbs and how this in turn allows them to create a chain reaction that can spread throughout a modern city. Their research brought up an interesting question: Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and attack even more appealing targets, such as the computer network in our homes, offices or even our smart city?

And the answer is: Yes.

Continuing from where the previous research left off, Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.

With the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, the researchers were able to take control of a Hue lightbulb on a target network and install malicious firmware on it. From that point, they used the lightbulb as a platform to take over the bulbs’ control bridge, and attacked the target network as follows:

  1. The hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.
  4. The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
  5. The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.

The research was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify confirmed the existence of the vulnerability in their product, and issued a patched firmware version (Firmware 1935144040) which is now available on their site. We recommend users to make sure that their product received the automatic update of this firmware version.

Check Point is the first vendor to provide a consolidated security solution that hardens and protects the firmware of IoT devices. Utilizing a recently acquired technology Check Point allows organization to mitigate device level attacks before devices are compromised utilizing on-device run time protection.

Here is a video that shows how our researchers exploited the vulnerabilities in the Philips Hue bridge in order to infiltrate into the victim’s computer network, later also attacking the computer itself using the EternalBlue exploit. The video then shows Check Point’s unique on-device protection against the demonstrated attack.

In a joint decision with Signify, we decided to postpone the release of the full technical details of our research in order to allow Philips Hue clients to have enough time to safely update their products to the latest version. Thus, the full technical details of this research will only be published in our research blog (https://www.research.checkpoint.com/) in the upcoming weeks. Stay tuned.

Read More