Industry News

How your network could be hacked through a Philips Hue smart bulb

How your network could be hacked through a Philips Hue smart bulb

Security researchers at Check Point have published details of vulnerabilities they have found in Philips Hue smart bulbs that could be exploited by hackers to compromise networks remotely.

The researchers were able to hijack control the IoT bulbs and install malicious firmware on it. With that beachhead in place they were then able to launch attacks to compromise the bulbs’ control bridge and then use an inventive method to attack the network:

  1. The hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.

The hacker-controlled bulb, containing the updated malicious firmware, uses a ZigBee protocol vulnerabiliy to cause a buffer overflow on the control bridge, and install malware onto the bridge as well.

As the bridge is connected to the targeted business or home network, the hacker is now able to infiltrate the network via the bridge, and achieve their goal – whether it be to install ransomware, spy, or steal information.

In short, the attack started at the bulb, travelled to the bridge, and ultimately ended up at the network.

A video made by the researchers demonstrates the attack in action.

The researchers informed the team Philip Hue team of the security vulnerabilities in November 2019, and patched firmware (version 1935144040) has since been made available.

Check Point’s research team, however, says it has delayed publishing full technical details of its discovery in order to allow more time for affected products to be updated.

Users are advised to ensure that their Hue System is fully updated by going to Settings -> Software Update -> Automatic Update in the Hue app.

Of course, it’s worth bearing in mind that the researchers only put the Philips Hue light bulbs under the microscope because they were market-leading IoT devices. There are, no doubt, countless other IoT devices which are likely to be just as vulnerable, if not more so, but simply haven’t yet had a spotlight shone on them.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.