ZigBee is a wireless standard, an IEEE 802.15.4 add-in, through which devices connected to the Internet of Things (IoT) communicate with each other. Samsung, Amazon, Philips and many other major manufacturers use this standard for their devices. Check Point Specialists warnedthat cybercriminals could exploit a vulnerability in implementing the ZigBee protocol to deliver malvari to target networks by compromising Philips Hue smart bulbs and their controllers for this.
The vulnerability discovered by experts received the identifier CVE-2020-6007 and scored 7.9 points on a ten-point CVVS3 vulnerability rating scale. The bug is a heap buffer overflow, and it can be used against Philips Hue Bridge Model 2.x devices to remotely execute arbitrary code. Vulnerability is considered to be all firmware versions up to the version before 1935144040, released on January 13, 2020.
The researchers created an attack that works about 100 meters from the vulnerable Philips Hue device. The attack allows you to hack into other devices on the same network as the vulnerable light bulb.
So, for starters, the experts equipped the light bulb with malicious firmware, and then proceeded to attack the Philips Hue Bridge, provoking an overflow of the hip buffer. This allows you to install the malware and on the controller (Philips Hue Bridge), which, in turn, is connected to the company network or home network.
As a result, the attacker gets the opportunity to develop his attack further and move to other systems on the network using well-known exploits, and then deploy any threat to the target network (backdoor, spyware, infostiller, miner, ransomware).
Researchers describe the attack as follows. Having compromised a light bulb, a hacker can change its color or brightness to fool the user, making him think that some kind of failure has occurred. Since the light bulb will be displayed in the application as "inaccessible", its owner will only have to try to reset the settings. That is, remove the light bulb from the application, and then instruct Philips Hue Bridge to detect it again. As a result, the controller will detect a compromised lamp and add it back to its network. But the lamp with the updated firmware will take advantage of the ZigBee protocol vulnerability to cause a heap buffer overflow. As a result, the hacker will be able to install the malware on Philips Hue Bridge, from where the attack can be distributed further using various exploits, such as the infamous EternalBlue.
Demonstration of the attack can be seen below.
“Many of us know that IoT devices can be unsafe. This study shows that even the most mundane, seemingly simplest devices, such as light bulbs, can be used by hackers to hijack networks and introduce malware, ”says Yaniv Balmas, head of cyber research at Check Point Research. – It is very important that organizations and ordinary users protect themselves from possible attacks by regularly updating their devices and separating them from other computers on their networks. This is necessary to limit the possible spread of malware. Now, in the complex landscape of fifth-generation attacks, it is necessary to control everything that is connected with our networks. ”
Experts notified Philips and Signify (the owner of the Philips Hue brand) about the problem back in November 2019. Signify confirmed the vulnerability and released a patched version of the firmware (1935144040), which is already available through automatic updates.