Added comment from Belkin
For those with Philips Hue devices: you need to update your Philips Hue Bridge software because hackers may be able to exploit Philips Hue smart light bulbs to get into your home network via the Bridge
The flaw, discovered by Check Point in Israel, exploits a fundamental flaw in the low-power, short-range wireless protocol of ZigBee, which is used in many smart home devices
In a press release, Check Point stated that exploiting this vulnerability "allows threat actors to infiltrate home and office computer networks via connected home devices and spread malware"
Here is a fun video showing such an attack [ZigBee is also used in Amazon Echo, Belkin WeMo, Samsung SmartThings, and others But until the details of this flaw are known, it is not known if these brands are vulnerable to the attack [A spokesperson for Signify, the maker of the Philips Hue device, told Tom's Guide 'The researchers we worked with through our responsible disclosure process simply indicated the possibility of an attack They have not disclosed the information needed for someone else to do so"
[After this article was first published, a Belkin representative made this statement: "Wemo uses the ZigBee HA Profile and is not vulnerable to the commissioning attack referenced in the article However, as a reminder for security best practices, users should always keep the firmware of all connected devices updated]
To update the Philips Hue bridge, enter the Philips Hue mobile app, open Settings, and click Software Update The app will find the software update online and install it on the Philips Hue bridge
You can also set the mobile app to automatically download and install updates If you have a newer square bridge, upgrade to firmware version 1935144040; if you have an older round bridge, upgrade to firmware version 01043064 [The Check Point findings build on earlier work by Israeli academic researchers Eyal Ronen, Achi-Or Weingarten, and Adi Shamir, and Canadian researcher Colin O'Flynn (Shamir is one of the developers of the RSA2 key encryption system, which is widely used today to protect Internet communications)
In 2016, this team found a way to create an Internet of Things worm using ZigBee-enabled smart light bulbsIoT Goes Nuclear: Creating a ZigBee Chain Reaction: The preface to their academic paper, subtly titled "Creating a ZigBee Chain Reaction," speaks for itself [They describe a new type of threat: if the density of compatible IoT devices exceeds a certain critical mass, neighboring IoT devices can infect each other with worms that can spread explosively over a wide area in a nuclear chain reaction-like fashion
"We developed and validated such an infection using the popular Philips Hue smart lamp as a platform The worm spreads by jumping directly from one lamp to a neighboring lamp"
Smart light bulbs are not yet that popular, but scholars envision a rather dramatic scenario when they do become widespread
"An attack could start with plugging in a single infected light bulb anywhere in the city and spread catastrophically everywhere within minutes, allowing an attacker to turn all the lights in the city on or off, brick them permanently, or exploit them in a massive DDoS attack
Sadly for Internet fear-mongers and Hollywood scriptwriters, Philips Hue has since fixed the flaw that allowed the worm to spread among smart bulbs [However, according to Check Point, "due to design limitations, the vendor was only able to fix the propagation vulnerability, allowing the attacker to take over the target Hue bulbs" [Check Point's team was able to exploit this vulnerability to gain entry into the ZigBee network, and from there into the Philips Hue's bridge The bridge connects the low-power ZigBee network to the high-power Wi-Fi and Bluetooth networks, and Check Point researchers were able to exploit this undisclosed flaw to penetrate the broader in-home Wi-Fi network
Again, it is not known if this flaw can be exploited in smart home products from other manufacturers However, a Check Point spokesperson stated, "We believe it is highly likely that similar vulnerabilities have been implemented in other products"
Comments