Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/6/2020
04:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Researchers Reveal How Smart Lightbulbs Can Be Hacked to Attack

New exploit builds on previous research involving Philips Hue Smart Bulbs.

Most people installing smart lightbulbs in their homes or offices are unlikely to see the devices as providing a potential entry point for cybercriminals into their networks. But new research from Check Point has uncovered precisely that possibility.

In a report released this week, researchers described how attackers could break into a home- or office network and install malware, by exploiting a security flaw in a communication protocol used in Philips Hue Smart Bulbs on the network.

"From our perspective, the main takeaway from this research is emphasizing that IoT devices, even the most simple and mundane ones, could be attacked and taken over by attackers," says Eyal Itkin, security researcher at Check Point.

Check Point's exploit builds on previous work from 2017 where researchers showed how they could take complete control of a large number of Philips Hue smart bulbs—such as those that might be deployed in a modern city—by infecting just one of them. Philips since has addressed the vulnerability that allowed malware to propagate from one infected smart bulb to the next.

But another implementation issue that allows attackers to take control of a Philips Hue smart bulb and install malware on it via an over-the-air firmware update, has not been fixed. Check Point researchers found that by exploiting that issue—and another security vulnerability they discovered in the Zigbee implementation of the Philips Hue smart-bulb control-bridge (CVE-2020-6007)—they could launch attacks on the network to which the bridge is connected.

Zigbee is a widely used smart-home protocol. Multiple other smart home products use the protocol including Amazon Echo, Samsung SmartThings, and Belkin WeMo. With Philips Hue smart bulbs, the bridge uses Zigbee to communicate with and control the bulb. But there are other smart bulbs that don't require a bridge at all and instead operate over Bluetooth or WiFi and are managed through a Zigbee-capable digital assistant.

"The attack grants the attacker access to the computer network to which the bridge is connected," Itkin says.

In a home scenario, an attacker could use the exploit to spread malware or to spy on home computers and other connected devices. "In an office environment, it would probably be the first step in an attempt to attack the organization, steal documents from it, or prepare a dedicated ransomware attack on sensitive servers inside the network," he says.

In Check Point's attack, the researchers first took control of a Philips Hue lightbulb, using the previously discovered vulnerability from 2017, and installed malicious firmware on it. They then demonstrated how an attacker could control the lightbulb—by constantly changing its colors, and its brightness for instance—to get users to delete the errant bulb from their app and reset it.

When the control bridge rediscovers the bulb and the user adds it back to their network, the malicious firmware exploits the Zigbee protocol vulnerability on it to install malware on the bridge. The malware then connects back to the attacker and using a known exploit—like EternalBlue—the attackers can then infiltrate the target network from the bridge, Check Point said.

Complex But Exploitable Flaw

The exploit only works if a user deletes a compromised bulb and instructs the control bridge to re-discover it: "Without the user issuing a command to search for new lightbulbs, the bridge won't be accessible to our now-owned lightbulb, and we won't be able to launch the attack," Itkin says.

Specifically, the vulnerability Check Point discovered is only accessible when the bridge is adding or commissioning a new lightbulb to the network, he says.

The vulnerability that Check Point discovered is rated as "complex" to exploit because of the tight constraints in the Zigbee protocol around message sizes and timing. An attacker must be relatively close to the target network in order to take initial control of a bulb.

The 2017 research showed how attackers could take control of a user's Philips Smart Hue lightbulb from over 1,300 feet (400m). If launched from a distance, the attack requires a directed antenna and sensitive receiving equipment to intercept Zigbee messages between the bulb and control bridge, Itkin says. "In a classic scenario, the attack could be performed from a van that parks down the street."

Check Point n November 2019 notified Philips and Signify, which owns the Hue brand, about the threat it found. Signify has issued a patch for the flaw, which is now available on their site. "The Philips Hue Bridge has automatic updates by default and the firmware should be downloaded and installed automatically," Itkin notes. They should also check the mobile app and verify that the firmware version has been updated to 1935144040, he says.

Pavel Novikov, head of the telecom security research team at Positive Technologies, says security in the Zigbee protocol is implemented via mandatory encryption. But when a device is connected to the Zigbee hub for the first time, there is a moment when encryption is not used, and the device and network are vulnerable to interception.

"Unfortunately, this architectural vulnerability cannot be fixed," he says. All users can do is be aware of it and take pay attention when devices are paired. "If your device has dropped out of the network, don't rush to bind it again, because this could be the start of a hacker attack."

For enterprise organizations, Check Point's research is another example of how IoT is continuing to expand the attack surface, said Mike Riemer, global chief security architect at Pulse Secure. "Many IoT devices have open default settings and require configuration and patch hygiene," he said. Organizations need to implement a Zero Trust approach to security and ensure that all connected devices are visible, verified, properly monitored, and segregated, he said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Is a Privileged Access Workstation (PAW)?."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
YorkLawFirm
50%
50%
YorkLawFirm,
User Rank: Apprentice
2/7/2020 | 12:08:59 AM
Thanks
Thanks for sharing this post

 

 

 

Elder Law Sacramento
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.