The light given off by some WiFi light bulbs may expose more than just a dark room as Check Point researchers have found a vulnerability in Philips Hue smart bulbs and bridge enabling them to remotely infiltrate the device.
vulnerability is CVE-2020-6007
a Heap-based Buffer Overflow that occurs when handling a long ZCL string during
the commissioning phase, resulting in a remote code execution. Check Point’ Institute
for Information Security team was able to take control of a light bulb and
install malware enabling them to take over the device’s control bridge and
attack the network.
process to abuse the vulnerability is a bit convoluted and requires some action
on the part of the homeowner.
- The hacker
controls the bulb’s color or brightness to trick users into thinking the bulb
has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so
they will try to ‘reset’ it.
- The only way to
reset the bulb is to delete it from the app, and then instruct the control
bridge to re-discover the bulb.
- The bridge
discovers the compromised bulb, and the user adds it back onto their network.
hacker-controlled bulb with updated firmware then uses the ZigBee protocol
vulnerabilities to trigger a heap-based buffer overflow on the control bridge,
by sending a large amount of data to it. This data also enables the hacker to
install malware on the bridge – which is in turn connected to the target
business or home network.
- The malware
connects back to the hacker and using a known exploit (such as EternalBlue),
they can infiltrate the target IP network from the bridge to spread ransomware
The bulb’s manufacturer
Philips and Signify were notified and have pushed out a firmware