How many lightbulbs does it take to put a network at risk?
If it's a Philips Hue bulb the answer to the question in the headline above is just one according to new research from Check Point which has uncovered vulnerabilities that could enable a hacker to deliver ransomware or other malware to business and home networks by taking over the smart lightbulbs and their controller.
Researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.
Researchers were able to take control of a Hue lightbulb on a network, install malicious firmware on it and propagate to other adjacent lightbulb networks. While the vendor was able to fix the propagation vulnerability, attackers could still take over a target's Hue lightbulb. Using this remaining vulnerability, Check Point researchers took this work one step further and used the Hue lightbulb as a platform to take over the bulbs' control bridge and ultimately, attack the target's computer network.
"Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware," says Yaniv Balmas, head of cyber research at Check Point. "It's critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today's complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks."
In the attack the hacker remotely controls the bulb's color or brightness to trick users into thinking it has a glitch. The bulb appears as 'Unreachable' in the user's control app, so they try to reset it by deleting it from the app, and then instructing the control bridge to re-discover it. This adds the compromised bulb back onto the network. The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This also lets the hacker install malware on the bridge -- which is in turn connected to the target business or home network. The malware connects back to the hacker who, using a known exploit (such as EternalBlue), can then infiltrate the target IP network from the bridge to spread ransomware or spyware.
The research has been disclosed to Philips and the company has acted swiftly to issue a patch. George Yianni, head of technology at Philips Hue says, "We are committed to protecting our users' privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Check Point, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk."
You can see a video of the attack in action below.