back to article Time to patch your lightbulb? Researchers demonstrate Philips Hue exploit

Researchers at Check Point have demonstrated how to infect a network with malware via a simple IoT device, a Philips Hue smart lightbulb. This is an exercise in escalation. There are a couple of vulnerabilities involved. One is CVE-2020-6007 which is a buffer overflow in the Philips Hue Bridge controller firmware, in the part …

  1. Individual #6/42

    Is this just Hue?

    As Zigbee is used by a lot of other networks?

    1. fobobob

      Re: Is this just Hue?

      The CVE mentioned in the article is for a buffer overflow exploit in Philips' firmware; the exploit does seem to be doing something within the ZigBee software stack (ZigBee Light Link), as implemented there. That does raise concerns that maybe this is not limited to one manufacturer.

  2. redpawn

    It only takes one

    crap element in an IoT setup. I'm surprised state actors aren't giving this stuff away for free or requiring their use in all homes, in order to save energy or sum such.

    1. Anonymous Coward
      Anonymous Coward

      Aliexpress

      /me looks at the recent batch of 2$ wifi arduino clones from China.

    2. iron

      Re: It only takes one

      They are.

      See Amazon's Police partnership scheme for Ring:

      https://www.theregister.co.uk/2019/11/20/ring_police_spying/

    3. JimboSmith

      Re: It only takes one

      This is why my Hue lights are on a separate closed wifi network that is only used for the hue lights. The bloke when I was buying the starter kit said I didn't want to do that because then I couldn't switch them off or change colours whilst away from home. He couldn't understand why I wouldn't want to do that.

    4. Halfmad

      Re: It only takes one

      Get your free Smart Meter today

      (paid for by you through taxation and billing.)

  3. Jason Bloomberg Silver badge

    "an update that reduces infection range to 1m or less"

    Wouldn't it just take someone who knows about RF to boost the output power and sensitivity of a Zigbee transceiver to increase its range? The controller wouldn't know if it's normal power and close, or super-power and far away.

    Father Ted might have had the idea first.

    1. Richard 12 Silver badge
      Megaphone

      Re: "an update that reduces infection range to 1m or less"

      They'd also need a highly directional antenna, as otherwise the attacker wouldn't be able to receive the responses.

      So they'd also need to aim the antenna reasonably well. Though as lamps tend to be in predictable locations, that's not a huge ask.

      10 to 100 times improvements are certainly feasible with high-gain directional antenna and RF amp.

      It does however greatly reduce the prospect of taking over an entire city, as that attack scenario relied on each Hue being able to suborn another, without any hardware modifications.

      1. Loyal Commenter Silver badge

        Re: "an update that reduces infection range to 1m or less"

        See also: accessing the Wi-Fi across the street using a Pringles can, where "highly directional antenna" also means "normal antenna with a suitable waveguide"...

    2. W.S.Gosset Silver badge
      FAIL

      Re: "an update that reduces infection range to 1m or less"

      Quite so.

      Cf. the now-old demonstrations of Bluetooth connections (MAX! 15ft!) at multi-kilometre ranges, using nothing more complex than a pringles can.

      Range-based RF "security" is No security.

    3. rajivdx

      Re: "an update that reduces infection range to 1m or less"

      It just means that while drones are not feasible for scanning whole cities for Philips Hue bulbs, you can still take over targeted homes with a highly directional antenna.

      Hell, you may not even need that - many homes use Hue lamps on the outside for the outdoor lights to turn on automatically when a visitor arrives. Just walk up to the bulb and infect it. Also from what I am reading, the bulb does not need to belong to the homes Hue network as it requires the owner to re-add the infected bulb. So, just walk around the neighbourhood and swap out all outdoor Hue bulbs with infected ones from your backpack.

  4. IGotOut Silver badge

    It's not just Smart bulbs that are at risk

    I've recently discovered a flaw in my set up.

    By pressing a small device on my walls, I can turn the bulbs on AND off by simply pressing it. No encryption, no authentication, no app required...nothing!

    This needs to be sorted before others find this blantent security hole. This has clearly been left in so the Chinese or NORKs can take over our cities!

    1. mrobaer

      Re: It's not just Smart bulbs that are at risk

      You think that's bad. My electrical outlets are vulnerable to a DoS from people who insist on clapping.

    2. vtcodger Silver badge

      Re: It's not just Smart bulbs that are at risk

      You're talking about a light switch, right? I guess that's OK ... But ... But ... How does your vendor download critical security patches to it?

  5. Anonymous Coward
    Anonymous Coward

    This is what happens

    when even a light bulb is smarter than its owner.

  6. Jason Hindle Silver badge

    X Files Series 11, episode (I think) 7

    Where our heroes' smart home try to bump them off after Mulder refuses to tip at an entirely automated restaurant.

  7. ecofeco Silver badge

    The stupid

    It burns bright.

  8. JakeMS
    Meh

    I still..

    Don't feel a good reason to own most of this "IoT" stuff. I don't own any yet because I've yet to find a valid reason to need it.

    Perhaps I'm still too old fashioned. I honestly don't feel there is a huge reason I can't just use a daemon on the wall to start and stop my light builbs.

    If I wanted to adjust brightness I'm happy to buy an old fashioned dimmer set. As for changing colours of the bomb, can't say I've ever felt I wanted to randomly change the colour of my lights.

    1. DontFeedTheTrolls
      Boffin

      Re: I still..

      When a relative went into care I installed some Hue, some Arlo and NetAtmo Weather to remotely monitor the property. The technology is now cheap enough.

      Motion detection video, doorbell picked up on audio could turn a light on, scheduled light changes, and monitored the temperature without having the heating on all the time (old thermostat, no frost protection).

      It's a use case. not saying its brilliant, but it is a use case.

    2. IGotOut Silver badge
      Joke

      Re: I still..

      @JakeMS

      "As for changing colours of the bomb"

      Is this something we should alert the authorities to?

  9. Anonymous Coward
    Anonymous Coward

    nice attack

    And surely plenty more to come with all el cheapo shit IoT coming from China compared to which Philips gear is golden in terms of security.

    Quick (long) story:

    I recently bought a security CAM from a reputed Swiss vendor. Mark was SWI***, so possibly swiss, meaning good product.

    Looking at the crap closing hatch for the batteries, I wondered how it would achieve IP65, but whatever.

    The was an USB port but "only for power". This began to look like crap. How expensive is a real USB port for config ?

    Then the config:

    - download an app on a mobile phone (Eh ?)

    - connect the app to a WIFI network, not using the phone network bizarrely, but only with a passwd between 5 and 32 chars (WTF ?). So no open wifi or very secured wifi.

    - then the real part: configure the CAM from the app: press a pairing button on the cam and the app will play a music to configure the CAM !!!! WHAAAT ? A dodgy modulation, inferior to the 90s technology (modems, remember ?). Spent 10 times trying, it never worked.

    - spent 2 hours on the web looking for a forum with this model, never found one, only swiss (only) sites selling this shit. Same with comparison sites, no SWI*** ever. Then, I came across a CAM made by a reputable vendor: same perf, same look *EXACTLY*, same functionnalities *EXACTLY*.

    End of the day, the day after I went to the shop telling them 2 things:

    1- doesn't work, I want my money back. I did.

    2- you should remove from the shelves since it is a counter-fact chinese product with Shenzen written all over the docs ! The dude laughed at me telling me it was a swiss model ! What a gullible idiot.

    All of the above plus the article tells me the only safe way to IoT is a separate security zone + strict rules NOTHING should exit it at all plus strict rules for incoming traffic.

    1. Loyal Commenter Silver badge

      Re: nice attack

      Well, that sounds dodgy AF. You've probably compromised your phone and your Wi-Fi network. It wouldn't surprise me if this was gear intended for a state-sponsored hack against a specific target and it has somehow made its way into the shops.

      Did it require you to side-load the app onto your phone? If so, I'd suggest you assume your phone has been compromised, and do a factory reset. The "requirement" for a Wi-Fi password between 5 and 32 characters implies it's also trying to crack your Wi-Fi password. Change it.

  10. W.S.Gosset Silver badge
    Mushroom

    Real-world Consequences of memes

    And this is a wonderful example of why IoT's blind vomiting over the world is a really stupid idea.

    IoT offers some benefits for a very small proportion of use-cases but essentially nothing more than novelty value for the vast majority.

    In exchange, it explodes the Attack Surface of your entire tech.environment.

    And since the vast bulk of people do not have the lucky intersection of having the time AND the interest AND critically the specialist knowledge to dedicate chunks of time&effort continuously to custom-configure then keep-updated their home networks and ALL attachable devices --or even to really understand the risk, for perhaps 99% of people-- all IoT does in the real world is vastly increase the risk of potentially life-catastrophic* events.

    * go through a few case-studies of the impact of a non-tech opening an apparently-trustworthy document or even a simple SIM-swap attack to properly grok how society's other "systems"-in-place, eg banking, have no real provision for recovering without you managing to achieve a 3rdparty's manual override.

    Classic example: coupla years ago Australia's "security czar" or whatever the title was, had her life reduced to carnage stress drama from one such (no bank accounts etc.), which even with her major political clout, public presence, assistance by her own security-dedicated department, and connections took many months to even stabilise let alone return to normal. Seem to recall she was still out thousands of dollars.

    As she put it, what chance has an ordinary person got?

    1. W.S.Gosset Silver badge

      Re: Real-world Consequences of memes

      OLD: "Sorry, I can't come out tonight, I'm washing my hair."

      THE NEW HOTNESS:

      "Sorry, I can't come out this weekend. I'm downloading documentation and learning yet another new configuration subsystem's special syntax and hoping I've bought the right cables+devices to connect to custom hardware and learning Tier-1 specialist networking skills and wider understanding to further modify and lock down/segregate my wallmodem thingy, so that my lightbulbs no longer threaten my entire life's savings and/or block my bank accounts so I can't pay rent so I become homeless in what everyone it's happened to says is a startling hurry, handful of weeks. I'm a hairdresser, so I hope I don't make a mistake."

  11. EnviableOne
    FAIL

    Security by design and default

    Why on earth is the auto-update mechanism not enabled by default!!!!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like