Bug in Philips Smart Light Allows Hopping to Devices on the Network

Security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

The security flaw was discovered is in the ZigBee wireless communication protocol that is used by a wide range of smart home devices.

From bulb to bridge to network

Tracked as CVE-2020-6007, the bug has a severity score of 7.9 out of 10. It is a heap buffer overflow that can be exploited remotely in Philips Hue Bridge model 2.x to execute arbitrary code. Affected firmware versions are up to 1935144020, released on January 13.

Security researchers at Check Point discovered the issue and developed an attack that allowed them to hack into other devices on the same network as the vulnerable Philips Hue bulb.

They started by fitting the smart light with malicious firmware. Then they moved to take control of the bulb's control bridge by triggering a heap buffer overflow in it. For this to happen, they needed to bombard it with large amounts of data.

"This data also enables the hacker to install malware on the [control] bridge – which is in turn connected to the target business or home network," the researchers explain in a summary of their discovery.

According to the researchers, an attacker can jump to other systems on the network using known exploits, such as the infamous EternalBlue. At this point, the threat actor can deploy whatever type of malware they want on the network (backdoor, spyware, info-stealer, cryptocurrency miner, ransomware).

A video published today demonstrates a risk scenario for devices connected to a compromised control hub:

Check Point reported their finding to Signify, the Philips Hue parent company, who acknowledged the vulnerability and fixed it in firmware version 1935144040, the researchers say.

If automatic updates are enabled, users don't have to lift a finger to get the latest software. Otherwise, they can check if a new firmware release is available from the Settings menu of the Hue app.

Full technical details for this attack will emerge in the near future, to give enough time for a significant number of Philips Hue customers to install the latest firmware.