ZigBee is a wireless standard, an IEEE 802.15.4 add-in, through which devices connected to the Internet of Things (IoT) communicate with each other. Samsung, Amazon, Philips and many other major manufacturers use this standard for their devices. Check Point experts warned that attackers could use the vulnerability in the implementation of the ZigBee protocol to deliver malware to target networks by compromising Philips Hue smart bulbs and their controllers for this.
The vulnerability discovered by experts received the identifier CVE-2020-6007 and scored 7.9 points on a ten-point vulnerability rating scale CVVS3. The bug is a heap buffer overflow, and it can be used against Philips Hue Bridge Model 2.x devices to remotely execute arbitrary code. Vulnerability is considered to be all firmware versions up to the version before 1935144040, released on January 13, 2020.
The researchers created an attack operating at a distance of about 100 meters from the vulnerable Philips Hue device. The attack allows you to hack other devices on the same network as the vulnerable light bulb.
So, for starters, the experts equipped the light bulb with malicious firmware, and then proceeded to attack the Philips Hue Bridge, provoking an overflow of the hip buffer. This allows you to install the malware and on the controller (Philips Hue Bridge), which, in turn, is connected to the company network or home network.
As a result, the attacker gets the opportunity to develop his attack further and move to other systems on the network using well-known exploits, and then deploy any threat on the target network (backdoor, spyware, infostiller, miner, ransomware).
Researchers describe the attack as follows. By compromising a light bulb, a hacker can change its color or brightness to trick the user into thinking that some kind of failure has occurred. Since the light bulb will be displayed in the application as “inaccessible”, its owner will only have to try to reset the settings. That is, remove the light bulb from the application, and then instruct Philips Hue Bridge to detect it again. As a result, the controller will detect a compromised lamp and add it back to its network. But the lamp with the updated firmware will take advantage of the ZigBee protocol vulnerability to cause a heap buffer overflow. As a result, the hacker can already install the malware on Philips Hue Bridge, from where the attack can be distributed further using various exploits, such as the infamous EternalBlue.
The demonstration of the attack can be seen below.
“Many of us know that IoT devices can be unsafe. This study shows that even the most mundane, seemingly simplest devices, such as light bulbs, can be used by hackers to hijack networks and introduce malware, ”says Yaniv Balmas, head of cyber research at Check Point Research. – It is very important that organizations and ordinary users protect themselves from possible attacks by regularly updating their devices and separating them from other computers on their networks. This is necessary to limit the possible spread of malware. Now, in the complex landscape of the fifth-generation attacks, it is necessary to control everything that is connected with our networks. ”
The experts notified Philips and Signify (the owner of the Philips Hue brand) about the problem back in November 2019. Signify confirmed the vulnerability and released a patched version of the firmware (1935144040), which is already available through automatic updates.