A vulnerability in Philips Hue smart lightbulbs and their controller bridges could allow intruders to infiltrate networks with a remote exploit, Check Point Software Technologies disclosed Tuesday.
The research stemmed from a detailed paper on the security of ZigBee-controlled Philips Hue smart lightbulbs, which was presented at the 2017 IEEE symposium on security and privacy.
Check Point conducted its own research last year, together with the Check Point Institute for Information Security at Tel Aviv University.
The researchers notified Signify, owner of the Philips Hue brand, about the vulnerability in November, and Signify issued a patched firmware version through an automatic update.
“The billions of devices that increasingly run our homes and businesses are the single largest threat vector for digital exploitation by bad actors, given their poor security record and their being relatively easy to take over,” said Dion Hinchcliffe, principal analyst at Constellation Research.
“Baby monitors have been breached, and … cameras, printers, network routers all have zero-day vulnerabilities,” noted Constellation Research principal analyst Liz Miller.
“Why is security by design not the de facto for device manufacturers?” she asked.
“The reason is often cost,” Miller told the E-Commerce Times. “Also, security is far too often an afterthought in product development.”
Exploiting the Flaw
This is how the researchers exploited the flaw:
They remotely controlled a bulb’s color or brightness to trick users into thinking the bulb had a glitch. The user had to delete the bulb from the Hue app then instruct the control bridge to rediscover the bulb and add it back onto its network.
The researchers sent a lot of data through the compromised bulb to set off a heap-based buffer overflow on the bridge. The data could have included malware.
Malware sent that way would connect with a hacker’s command and control center, allowing the distribution of ransomware or spyware to the target network through an exploit such as EternalBlue.
“ZigBee was never intended for the security first, zero trust environment that has emerged as a requirement for Internet of Things devices in smart homes and smart cities,” Constellation’s Hinchcliffe told the E-Commerce Times.
“Its primary feature is its very low power requirements, not security,” he added. “Despite its popularity in devices like Hue, we need to move to more advanced protocols designed for today’s much more security-conscious operating environment. IoT has the poorest track record of any type of technology in not providing a safe environment for connected devices at scale, which is rather ironic.”
The problem is amplified in industrial controls and critical infrastructure, Miller noted.
“One entry point into the network of a power plant is the only entry point a bad actor needs,” she said.
The Threat of IoT
Hacking Hue lights was easy and cheap, according to the research paper presented at the 2017 IEEE symposium.
Hue lamps contain a ZigBee chip that has a bug in its stack’s proximity test. It lets any standard ZigBee transmitter — which costs just a few dollars — initiate a factory reset procedure that will dissociate lamps from their current controllers from up to 400 meters away. The transmitter then can take full control of all the lamps.
The researchers drove around their university campus and took full control of all the Hue lamps installed in buildings along the car’s path.
They also attached a fully autonomous attack kit to a standard drone, and forced all the Hue lamps installed in buildings hundreds of meters away to disconnect from their own controllers and to blink “S.O.S.” in Morse code.
Such a drone attack could take out all Philips Hue smart lamps in a city, but its effects could be reversed by bringing each lamp to within a few centimeters of its legitimate controller and reassociating them, the paper states.
To achieve a longer-lasting effect, the researchers reverse engineered the process Philips uses to enable lamp firmware updates, which allowed them to upload firmware of their own creation into any Philips Hue lamp. The process was relatively cheap and easy.
A single infected lamp with modified firmware plugged in anywhere in a city could “start an explosive chain reaction in which each lamp will infect and replace the firmware in all its neighbors within a range of up to a few hundred meters,” the researchers said.
Infections jump directly from lamp to lamp using only unmonitored and unprotected ZigBee communications. Consequently, they “will be very difficult to detect that an attack is taking place and to locate its source after the whole lighting system is disabled,” the paper notes. Attackers have to infect just one lamp.
Their attack spreads through physical proximity alone, disregarding the established networking structures of lamps and controllers, so it “cannot be stopped by isolating various subnetworks from each other, as system administrators often do when they are under attack,” the research paper points out.
Trouble Ahead for Smart Cities
Many governments around the world are planning to develop smart cities that will be chock-full of smart devices, which multiplies security risks.
“Otherwise innocuous items such as the Bigbelly trash compactors and cans we see so often are smart devices that use cellular communications to signal when they need to be emptied,” said Erich Kron, security awareness advocate at KnowBe4.
“Imagine if these devices were compromised and used to stage a DDoS attack or even as a command and control node for ransomware,” he told the E-Commerce Times.
The best use from a malicious perspective is likely to infiltrate networks that are not segregated from other, more important systems, suggested Mike Jordan, VP of research at Shared Assessments.
“Preventing that type of environment, as well a monitoring weird traffic on a network like lightbulbs talking to each other, are manageable steps that should be mandatory if IoT devices are introduced into an organization’s environment,” he told the E-Commerce Times.
City planners “should demand some objective evidence that smart devices are safe, using available industry certifications,” Hinchcliffe recommended. “I’d argue that they have a fiduciary and public safety responsibility to do so.”
At some point, “we need to admit that the current data center-driven network security mindset is out of date, woefully incomplete, and simply dangerous in the world of IoT and connected headless devices,” Miller remarked. “We can’t afford to cling to these old network security standards of deeper moats and taller walls.”