Philips Smart Lights Vulnerability Allows Hopping To Devices On The Network – Experts Advise

Security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Tracked as CVE-2020-6007, the bug has a severity score of 7.9 out of 10. It is a heap buffer overflow that can be exploited remotely in Philips Hue Bridge model 2.x to execute arbitrary code. Affected firmware versions are up to 1935144020, released on January 13.

According to the researchers, an attacker can jump to other systems on the network using known exploits, such as the infamous EternalBlue. At this point, the threat actor can deploy whatever type of malware they want on the network (backdoor, spyware, info-stealer, cryptocurrency miner, ransomware).

Experts Comments

February 08, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Learn how to spot phishing emails. Check the sender's domain, don't click on links in unsolicited emails, and never include sensitive personal info in an email. Don't trust link preview images or text, and do not click on links in unsolicited messages. To inspect a link, long-press the link and copy it to your clipboard, then paste it into a text editor.
February 08, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the .....Read More
IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x. The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.  Read Less
February 08, 2020
Mike Riemer
Global Chief Security Architect
Pulse Secure
Smart bulbs are just another example of how the Internet of Everything continues to expand the enterprise attack surface. While lighting appears innocuous, anything connected to a corporate network can pose a threat. Many IoT devices have open default settings and require configuration and patch hygiene. To manage this risk, organizations must invoke a Zero Trust approach to make any connected device visible, verified, segregated and monitored. Strong endpoint security enforcement assures that.....Read More
Smart bulbs are just another example of how the Internet of Everything continues to expand the enterprise attack surface. While lighting appears innocuous, anything connected to a corporate network can pose a threat. Many IoT devices have open default settings and require configuration and patch hygiene. To manage this risk, organizations must invoke a Zero Trust approach to make any connected device visible, verified, segregated and monitored. Strong endpoint security enforcement assures that defenses can scale as IoT adoption increases.  Read Less
February 07, 2020
Kieran Roberts
Head of Penetration Testing
Bulletproof
In a corporate environment, it would be unlikely that products like Phillips Hue would be used, meaning that this attack is likely limited to home users. Looking through the documentation, it seems that in order to pivot into a target network, the host would need to be vulnerable to another exploit; in the example provided the Eternal Blue exploit is leveraged to gain access. Overall, this is a very cool bug from a technical perspective, but in ‘real life’ the use case is limited. It would .....Read More
In a corporate environment, it would be unlikely that products like Phillips Hue would be used, meaning that this attack is likely limited to home users. Looking through the documentation, it seems that in order to pivot into a target network, the host would need to be vulnerable to another exploit; in the example provided the Eternal Blue exploit is leveraged to gain access. Overall, this is a very cool bug from a technical perspective, but in ‘real life’ the use case is limited. It would likely only affect home users, and relies on a fairly significant amount of user interaction (the user must delete their installed lamp and then add the attacker’s light to the profile) as well as hosts within the local network being unpatched and vulnerable to known exploits in order for an attacker to propagate further into the network.  Read Less
February 07, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
IoT and smart devices are notorious for having poor security by design, and for not offering intuitive security options for users. Therefore, enterprises should exercise caution when deploying smart technology into its environments. Ideally IoT should be segregated from the main network and monitored for suspicious activity. Patch management should also be take under consideration when deploying IoT devices. If the devices do not offer patch management, logging, or a way to change default.....Read More
IoT and smart devices are notorious for having poor security by design, and for not offering intuitive security options for users. Therefore, enterprises should exercise caution when deploying smart technology into its environments. Ideally IoT should be segregated from the main network and monitored for suspicious activity. Patch management should also be take under consideration when deploying IoT devices. If the devices do not offer patch management, logging, or a way to change default credentials, enterprises should be aware of the potential high risks they can be taking on.  Read Less
February 07, 2020
Stuart Sharp
VP of Solution Engineering
OneLogin
This latest IoT vulnerability highlights the critical need for robust security standards for IoT. Government’s must act now to hold IoT vendors to account for the security of their devices, and although the UK government recently proposed new legislation around IoT password management, it falls far short of the in-depth guidance and standards required to prevent hackers exploiting vulnerabilities like that found in the ZigBee protocol.
February 07, 2020
Peter Draper
Technical Director, EMEA
Gurucul
This is one of the major issues with so called “smart devices”. The controls in place on the quality of development and security testing on these products has a long way to go. There are two main issues here. 1) The device can be used to snoop on other devices in the network or to install additional software on those devices 2) The device can be used as part of a wider net of IoT (smart) devices for other nefarious purposes (Such as DDoS attacks). If users are going to install smart .....Read More
This is one of the major issues with so called “smart devices”. The controls in place on the quality of development and security testing on these products has a long way to go. There are two main issues here. 1) The device can be used to snoop on other devices in the network or to install additional software on those devices 2) The device can be used as part of a wider net of IoT (smart) devices for other nefarious purposes (Such as DDoS attacks). If users are going to install smart devices on their home networks I would highly recommend enabling guest Wifi access (if their router supports it) and only connect your smart devices to the guest network. That way your personal devices will have some protection by keeping that level of separation. This does not stop the devices being infected and used for other purposes.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.