Yes Your Philips Hue Light Bulbs Can Be Hacked Too, Update Firmware Now
Security researchers are warning of an exploit in the ZigBee low-power wireless power protocol that could allow an attacker to infiltrate a home network through smart lighting. The researches focused primarily on Philips Hue smart bulbs because of their market popularity in the smart lighting segment, though the ZigBee protocol is actually used on a wide range of Internet of Things (IoT) devices.
"Continuing from where the previous research left off, Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities," Check Point stated in a blog post.
Check Point's researchers say they where able to take control of a Hue lightbulb on a home network and do things like change the brightness and colors, and turn the lighting on and off. They basically gave themselves full control over a target's lamp with a Philips Hue lightbulb installed. However, the real threat runs even deeper.
While annoying, there is the potential to hack a target's network. By messing with the lighting, a user may assume there is a glitch, and then proceed to delete it from the accompanying app. This is where things can go very bad. To add the compromised bulb back into the app, it needs to be discovered by the bridge.
"The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge—which is in turn connected to the target business or home network," Check Point explains.
From there, the attacker has a pathway into the target's network and can spread malware, including ransomware and spyware.
The good new is, Philips has rolled out a patch for the flaw. This should be rolled out automatically, but if you own a Philips Hue product, you should definitely check to make sure. You can do this by opening the Hue app and going to Settings > Software. The firmware version should be 1935144040 (or later).
Once the patch is in place, an attacker would not be able to spread malware through a network by leveraging this vulnerability. So, what's the bad news? An attacker could still hack the lighting. That's as far as they could go, though, so at least you're protected from deeper security intrusions.