Owners of Philips Hue smart bulbs are being urged to check its firmware, after the publication of a vulnerability in how the accessories communicate with each other over Zigbee could allow an attacker to gain control over the whole home network.
Found by Check Point security researchers, the vulnerability was found in the Philips Hue bulbs’ usage of Zigbee, a communication protocol that is used by a large number of smart home devices to communicate with each other. By attacking Zigbee, the attacker can take control of the Hue Bridge that connects the bulbs to the rest of the home network.
Using a Zigbee antenna, the would-be attacker can force one of the bulbs to be pushed off the smart home device network entirely, before putting malicious code into the bulb itself. If the user then tries to bring the suddenly faulty bulb live by re-pairing it in the Hue app, the malware can be spread from the bulb to the Hue Bridge, which in turn is connected to the router.
Once the malware reaches the Hue Bridge, the attacker can have access to the rest of the network, enabling further attacks to take place.
Check Point informed Philips Hue parent company Signify details of the attack, which has resulted in the creation of a firmware fix that will be rolled out to all affected Philips Hue bulbs. As per typical responsible disclosure protocol, Check Point will be issuing a full report on the vulnerability within a few weeks, after the patch has been given time to propagate to users.
Users are encouraged to open the Hue app to check for any available updates for the bulbs, and to install them as soon as possible, though many will find their devices will automatically install the updates. The latest firmware that patches the flaw is version 1935144040.
Head of cyber research at Check Point Research Yaniv Balmas warns “Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware.”
It is unclear if the same technique could be used to attack other Zigbee-based smart home devices, many of which could be controlled under Apple’s HomeKit framework. Other prominent Zigbee users include the Amazon Echo Plus, Belkin’s WeMo system, and the Ikea Tradfri collection.