USE PHILIPS HUE BULBS? UPGRADE YOUR FIRMWARE TO PROTECT AGAINST A NEWLY FOUND FLAW
A newly found vulnerability could let a hacker inject malware into homes that use Philips Hue bulbs, reports CheckPoint Research.
Philips has rolled out a patch that eliminates this threat.
From anywhere beyond 100 meters, the threat actor would only need a laptop and a Zigbee antenna to spread malware in the network.
The malware takes advantage of the vulnerability in the Zigbee standard to spread from the bulb to their Hue Bridge when the user deletes the suddenly unresponsive bulb from the Hue app and attempts to re-pair with.
With Zigbee, two connected devices — even if they’re from different manufacturers — speak a common language, so there is no barrier to communication. ZigBee devices make use of radio frequencies to communicate.
In 2017, a different team of researchers were able to take control of a Hue lightbulb on a given network, and propagate between lightbulbs. Due to design limitations, the vendor was only able to fix the propagation vulnerability, thus attackers could still take over a target’s Hue lightbulb.
Using this remaining vulnerability, CheckPoint researchers decided to take this prior work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge completely.
At the moment, there are more than 400 members registered to the ZigBee Alliance and over 2,500 devices.
Most of the big names in the industry are currently partner brands under the alliance. Well-known users of Zigbee are Amazon Echo Plus, Samsung SmartThings, Belkin WeMo, Hive Active Heating and accessories, Philips Hue, Yale smart locks, Honeywell thermostats, Bosch Security Systems, Ikea Tradfri, Samsung Comcast Xfinity Box.