Malcolm Owen
Owners of Philips Hue smart bulbs are being urged to check its firmware, after the publication of a vulnerability in how the accessories communicate with each other over Zigbee could allow an attacker to gain control over the whole home network.
Found by Check Point security researchers, the vulnerability was found in the Philips Hue bulbs' usage of Zigbee, a communication protocol that is used by a large number of smart home devices to communicate with each other. By attacking Zigbee, the attacker can take control of the Hue Bridge that connects the bulbs to the rest of the home network.
Using a Zigbee antenna, the would-be attacker can force one of the bulbs to be pushed off the smart home device network entirely, before putting malicious code into the bulb itself. If the user then tries to bring the suddenly faulty bulb live by re-pairing it in the Hue app, the malware can be spread from the bulb to the Hue Bridge, which in turn is connected to the router.
Once the malware reaches the Hue Bridge, the attacker can have access to the rest of the network, enabling further attacks to take place.
Check Point informed Philips Hue parent company Signify details of the attack, which has resulted in the creation of a firmware fix that will be rolled out to all affected Philips Hue bulbs. As per typical responsible disclosure protocol, Check Point will be issuing a full report on the vulnerability within a few weeks, after the patch has been given time to propagate to users.
Users are encouraged to open the Hue app to check for any available updates for the bulbs, and to install them as soon as possible, though many will find their devices will automatically install the updates. The latest firmware that patches the flaw is version 1935144040.
Head of cyber research at Check Point Research Yaniv Balmas warns "Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."
It is unclear if the same technique could be used to attack other Zigbee-based smart home devices, many of which could be controlled under Apple's HomeKit framework. Other prominent Zigbee users include the Amazon Echo Plus, Belkin's WeMo system, and the Ikea Tradfri collection.
William Gallagher
Andrew Orr
Marko Zivkovic
Christine McKee
18 Comments
This is an IoT issue that everyone saw coming. Also most of these devices can talk directly to 3rd party servers, so it was an expectation that security holes like these were bound to pop-up. It's also been assumed that this would be exploited by nefarious individuals/groups or governments to create backdoors into networks.
It is also clearly on Apple's radar, as given by the introduction of HomeKit-Routers by Craig Federighi during the June 2019 keynote, where he pretty much described this exact scenario.
This particular attack vector doesn't seem all that likely, since it relies on an overwhelmingly stronger signal to pull the Hue bulb off the local network. Just how would that work in practice? (Not to mention, why?) I think I'd notice some guy with a giant antenna lurking in the bushes.
That said, if it makes me a Luddite to reject light bulbs that feature a need for firmware, then I'll just have to accept the characterization.
Mine were already auto-updated and patched. I don’t manually check very often but if mine were then most others probably were, too.
It just keeps coming and coming. Nothing is secure, no one is safe, all of our data is out there, somewhere.
The reason why HomeKit has seen such slow adoption is because device manufacturers find if difficult to implement. A major reason HomeKit is hard to implement is because it has stringent security protocols.
Many of the IOT devices currently available have been rushed to market with little concern for security. Many manufacturers find that it is not possible to add HomeKit support to their products without more or less starting again from scratch.
If we choose devices that have native and direct support for HomeKit we can be reasonably confident that it meets a minimum standard for security. I would avoid devices that use some kind of “bridge” or “gateway” to work with HomeKit or that create their own radio network such as Zigbee.