Is this just Hue?
As Zigbee is used by a lot of other networks?
Researchers at Check Point have demonstrated how to infect a network with malware via a simple IoT device, a Philips Hue smart lightbulb. This is an exercise in escalation. There are a couple of vulnerabilities involved. One is CVE-2020-6007 which is a buffer overflow in the Philips Hue Bridge controller firmware, in the part …
The CVE mentioned in the article is for a buffer overflow exploit in Philips' firmware; the exploit does seem to be doing something within the ZigBee software stack (ZigBee Light Link), as implemented there. That does raise concerns that maybe this is not limited to one manufacturer.
This is why my Hue lights are on a separate closed wifi network that is only used for the hue lights. The bloke when I was buying the starter kit said I didn't want to do that because then I couldn't switch them off or change colours whilst away from home. He couldn't understand why I wouldn't want to do that.
Wouldn't it just take someone who knows about RF to boost the output power and sensitivity of a Zigbee transceiver to increase its range? The controller wouldn't know if it's normal power and close, or super-power and far away.
Father Ted might have had the idea first.
They'd also need a highly directional antenna, as otherwise the attacker wouldn't be able to receive the responses.
So they'd also need to aim the antenna reasonably well. Though as lamps tend to be in predictable locations, that's not a huge ask.
10 to 100 times improvements are certainly feasible with high-gain directional antenna and RF amp.
It does however greatly reduce the prospect of taking over an entire city, as that attack scenario relied on each Hue being able to suborn another, without any hardware modifications.
It just means that while drones are not feasible for scanning whole cities for Philips Hue bulbs, you can still take over targeted homes with a highly directional antenna.
Hell, you may not even need that - many homes use Hue lamps on the outside for the outdoor lights to turn on automatically when a visitor arrives. Just walk up to the bulb and infect it. Also from what I am reading, the bulb does not need to belong to the homes Hue network as it requires the owner to re-add the infected bulb. So, just walk around the neighbourhood and swap out all outdoor Hue bulbs with infected ones from your backpack.
I've recently discovered a flaw in my set up.
By pressing a small device on my walls, I can turn the bulbs on AND off by simply pressing it. No encryption, no authentication, no app required...nothing!
This needs to be sorted before others find this blantent security hole. This has clearly been left in so the Chinese or NORKs can take over our cities!
Don't feel a good reason to own most of this "IoT" stuff. I don't own any yet because I've yet to find a valid reason to need it.
Perhaps I'm still too old fashioned. I honestly don't feel there is a huge reason I can't just use a daemon on the wall to start and stop my light builbs.
If I wanted to adjust brightness I'm happy to buy an old fashioned dimmer set. As for changing colours of the bomb, can't say I've ever felt I wanted to randomly change the colour of my lights.
When a relative went into care I installed some Hue, some Arlo and NetAtmo Weather to remotely monitor the property. The technology is now cheap enough.
Motion detection video, doorbell picked up on audio could turn a light on, scheduled light changes, and monitored the temperature without having the heating on all the time (old thermostat, no frost protection).
It's a use case. not saying its brilliant, but it is a use case.
And surely plenty more to come with all el cheapo shit IoT coming from China compared to which Philips gear is golden in terms of security.
Quick (long) story:
I recently bought a security CAM from a reputed Swiss vendor. Mark was SWI***, so possibly swiss, meaning good product.
Looking at the crap closing hatch for the batteries, I wondered how it would achieve IP65, but whatever.
The was an USB port but "only for power". This began to look like crap. How expensive is a real USB port for config ?
Then the config:
- download an app on a mobile phone (Eh ?)
- connect the app to a WIFI network, not using the phone network bizarrely, but only with a passwd between 5 and 32 chars (WTF ?). So no open wifi or very secured wifi.
- then the real part: configure the CAM from the app: press a pairing button on the cam and the app will play a music to configure the CAM !!!! WHAAAT ? A dodgy modulation, inferior to the 90s technology (modems, remember ?). Spent 10 times trying, it never worked.
- spent 2 hours on the web looking for a forum with this model, never found one, only swiss (only) sites selling this shit. Same with comparison sites, no SWI*** ever. Then, I came across a CAM made by a reputable vendor: same perf, same look *EXACTLY*, same functionnalities *EXACTLY*.
End of the day, the day after I went to the shop telling them 2 things:
1- doesn't work, I want my money back. I did.
2- you should remove from the shelves since it is a counter-fact chinese product with Shenzen written all over the docs ! The dude laughed at me telling me it was a swiss model ! What a gullible idiot.
All of the above plus the article tells me the only safe way to IoT is a separate security zone + strict rules NOTHING should exit it at all plus strict rules for incoming traffic.
Well, that sounds dodgy AF. You've probably compromised your phone and your Wi-Fi network. It wouldn't surprise me if this was gear intended for a state-sponsored hack against a specific target and it has somehow made its way into the shops.
Did it require you to side-load the app onto your phone? If so, I'd suggest you assume your phone has been compromised, and do a factory reset. The "requirement" for a Wi-Fi password between 5 and 32 characters implies it's also trying to crack your Wi-Fi password. Change it.
And this is a wonderful example of why IoT's blind vomiting over the world is a really stupid idea.
IoT offers some benefits for a very small proportion of use-cases but essentially nothing more than novelty value for the vast majority.
In exchange, it explodes the Attack Surface of your entire tech.environment.
And since the vast bulk of people do not have the lucky intersection of having the time AND the interest AND critically the specialist knowledge to dedicate chunks of time&effort continuously to custom-configure then keep-updated their home networks and ALL attachable devices --or even to really understand the risk, for perhaps 99% of people-- all IoT does in the real world is vastly increase the risk of potentially life-catastrophic* events.
* go through a few case-studies of the impact of a non-tech opening an apparently-trustworthy document or even a simple SIM-swap attack to properly grok how society's other "systems"-in-place, eg banking, have no real provision for recovering without you managing to achieve a 3rdparty's manual override.Classic example: coupla years ago Australia's "security czar" or whatever the title was, had her life reduced to carnage stress drama from one such (no bank accounts etc.), which even with her major political clout, public presence, assistance by her own security-dedicated department, and connections took many months to even stabilise let alone return to normal. Seem to recall she was still out thousands of dollars.
As she put it, what chance has an ordinary person got?
OLD: "Sorry, I can't come out tonight, I'm washing my hair."
THE NEW HOTNESS:
"Sorry, I can't come out this weekend. I'm downloading documentation and learning yet another new configuration subsystem's special syntax and hoping I've bought the right cables+devices to connect to custom hardware and learning Tier-1 specialist networking skills and wider understanding to further modify and lock down/segregate my wallmodem thingy, so that my lightbulbs no longer threaten my entire life's savings and/or block my bank accounts so I can't pay rent so I become homeless in what everyone it's happened to says is a startling hurry, handful of weeks. I'm a hairdresser, so I hope I don't make a mistake."