The light given off by some WiFi light bulbs may expose more than just a dark room as Check Point researchers have found a vulnerability in Philips Hue smart bulbs and bridge enabling them to remotely infiltrate the device.The specific
vulnerability is CVE-2020-6007
a Heap-based Buffer Overflow that occurs when handling a long ZCL string during
the commissioning phase, resulting in a remote code execution. Check Point’ Institute
for Information Security team was able to take control of a light bulb and
install malware enabling them to take over the device’s control bridge and
attack the network.The overall
process to abuse the vulnerability is a bit convoluted and requires some action
on the part of the homeowner.According to
Check
Point:The bulb’s manufacturer
Philips and Signify were notified and have pushed out a firmware
patch.
- The hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
- The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
- The bridge discovers the compromised bulb, and the user adds it back onto their network.
- The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
- The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
