Update Your ZigBee Smart Home Devices to Protect Against This Hack

Posted on by

Hacked by a Hue Light Bulb? It sounds silly, but security researchers at Check Point Software recently demonstrated that unidentified Philips Hue smart lights can be used as an attack vector into your network if someone exploits a vulnerability in the ZigBee protocol the lights use to communicate with their bridge.

I understand that this is not easy. Hacking is much more interesting to see in action – well, read about it. After the attacker was able to download the modified firmware into the compromised old light bulb, Check Point describes the rest:

  1. A hacker controls the color or brightness of a light bulb to trick users into thinking that there is a problem with the light bulb. The light is shown as “Not Available” in the user’s application, so they will try to “reset” it.
  2. The only way to reset the light bulb is to remove it from the application and then instruct the control bridge to re-detect the light bulb.
  3. The bridge detects the hacked light bulb and the user adds it back to their network.
  4. The hacker-controlled lamp with the updated firmware then exploits the vulnerabilities in the ZigBee protocol to trigger a heap-based buffer overflow on the control bridge, sending it a large amount of data. This data also allows the hacker to install malware on the bridge, which in turn is connected to the target corporate or home network.
  5. Malware connects back to the hacker and, using a known exploit (such as EternalBlue ), can penetrate the target IP network from a bridge to distribute ransomware or spyware.

Philips updated your Hue Hub with a patch to fix this particular vulnerability in mid-January, but it’s worth taking a quick look at it to make sure it has the latest firmware. For this:

  1. Open the Hue app on Android or iOS.
  2. Click on “Settings”
  3. Scroll down a bit and click on Software Update.
  4. Wait longer than necessary
  5. Find your Philips hue hub and make sure it is running at least “1935144040” – update 1/24/20 if I’m correct.

If that’s not the case and there are no updates available for your device, then hold on. You should (hopefully?) Get it soon. Until then, I recommend making sure you use the Automatic Updates feature in the Hue app so you don’t have to check for updates again.

If you have other smart home devices, take a look at them too; if they use ZigBee to communicate, you’ll want to keep abreast of their updates (or ask them to update automatically) so that any future vulnerabilities don’t catch you or your home by surprise.

And if your lights start to flicker in a creepy ghost style, resist the urge to factory reset. Consider switching to a regular light bulb and isolating the Hue Hub from the VLAN or whatever while you troubleshoot, which might include a support call, since I honestly have no idea how to overwrite a cracked light bulb with correct updated firmware. . if at all possible. As The Verge points out:

“… it looks like, again, the bulbs themselves are still vulnerable to hacking. When this flying drone triggered a miniature IoT virus in 2016, companies found a way to solve this worst-case scenario by limiting the number of light bulb-to-light hops. But “due to design constraints,” the bulbs remained vulnerable, leading to new hacks – and possibly other unrecognized hacks in our future as long as these bulbs remain in service. Leaving these bulbs vulnerable can be more dangerous than just letting a hacker turn your lights on and off at will. ”

More…

0
Uncategorized

Leave a Reply