Philips Smart Lights Vulnerability Allows Hopping To Devices On The Network – Experts Advise

Security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Tracked as CVE-2020-6007, the bug has a severity score of 7.9 out of 10. It is a heap buffer overflow that can be exploited remotely in Philips Hue Bridge model 2.x to execute arbitrary code. Affected firmware versions are up to 1935144020, released on January 13.

According to the researchers, an attacker can jump to other systems on the network using known exploits, such as the infamous EternalBlue. At this point, the threat actor can deploy whatever type of malware they want on the network (backdoor, spyware, info-stealer, cryptocurrency miner, ransomware).

Notify of

7 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
February 8, 2020 10:42 am

Learn how to spot phishing emails. Check the sender\’s domain, don\’t click on links in unsolicited emails, and never include sensitive personal info in an email. Don\’t trust link preview images or text, and do not click on links in unsolicited messages. To inspect a link, long-press the link and copy it to your clipboard, then paste it into a text editor.

Last edited 2 years ago by Paul Bischoff
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
February 8, 2020 10:36 am

IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.

The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.

Last edited 2 years ago by Boris Cipot
Mike Riemer
Mike Riemer , Global Chief Security Architect
InfoSec Expert
February 8, 2020 10:26 am

Smart bulbs are just another example of how the Internet of Everything continues to expand the enterprise attack surface. While lighting appears innocuous, anything connected to a corporate network can pose a threat. Many IoT devices have open default settings and require configuration and patch hygiene. To manage this risk, organizations must invoke a Zero Trust approach to make any connected device visible, verified, segregated and monitored. Strong endpoint security enforcement assures that defenses can scale as IoT adoption increases.

Last edited 2 years ago by Mike Riemer
Kieran Roberts
Kieran Roberts , Head of Penetration Testing
InfoSec Expert
February 7, 2020 12:47 pm

In a corporate environment, it would be unlikely that products like Phillips Hue would be used, meaning that this attack is likely limited to home users. Looking through the documentation, it seems that in order to pivot into a target network, the host would need to be vulnerable to another exploit; in the example provided the Eternal Blue exploit is leveraged to gain access.

Overall, this is a very cool bug from a technical perspective, but in ‘real life’ the use case is limited. It would likely only affect home users, and relies on a fairly significant amount of user interaction (the user must delete their installed lamp and then add the attacker’s light to the profile) as well as hosts within the local network being unpatched and vulnerable to known exploits in order for an attacker to propagate further into the network.

Last edited 2 years ago by Kieran Roberts
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
February 7, 2020 12:45 pm

IoT and smart devices are notorious for having poor security by design, and for not offering intuitive security options for users.

Therefore, enterprises should exercise caution when deploying smart technology into its environments. Ideally IoT should be segregated from the main network and monitored for suspicious activity. Patch management should also be take under consideration when deploying IoT devices. If the devices do not offer patch management, logging, or a way to change default credentials, enterprises should be aware of the potential high risks they can be taking on.

Last edited 2 years ago by Javvad Malik
Information Security Buzz
Would love your thoughts, please comment.x