Check Point security researchers have discovered a security vulnerability in Zigbee, and with it Philips Hue, which allows attackers to take control of the lights connected to the system and expand the attack on the network. But not only the market leader Philips Hue is affected.
An attacker can initially switch the lights on and off and change their brightness and, if supported, the reproduced color. Even if this problem has not yet been resolved – and cannot be remedied at all – Signify has reacted and closed a gap that allowed the attack via the Philips Hue Bridge to be extended to the connected network.
Zigbee generally affected
The attackers exploit a vulnerability in Zigbee, the communication protocol that Philips Hue uses as well as numerous other smart home systems such as Samsung’s SmartThings, Amazon Echo, Bosch Smart Home, Ikea Tradfi and Belkin WeMo. All of these systems are vulnerable to an attack on the lights because the gap relates to Zigbee and not specifically Philips Hue. Check Point, however, focused on the market leader to show the problem and wanted to develop solutions with other manufacturers.
The attack passes from one lamp to the rest and the network. After the attacker has gained access to a luminaire via the vulnerability, the user can no longer control it himself, but is made aware of the misconduct deliberately caused by the hacker. If he now deletes them from the Philips Hue system in order to remedy the error by re-teaching them, the attacker can also access the bridge using malware imported into the lamp, which in turn could be used to gain access to the network.
Users should check Hue for updates
Check Point first reported the vulnerability to Signify, the company behind the Philips Hue brand, in November 2019, and has only released it after Signify has released a patch (firmware 1935144040). Philips Hue users should therefore check in the Hue app whether updates are available for the components used.
Gap in Hue lamp requires changes to the hardware
While updates can prevent attackers from gaining access to the bridge and the network, the first hole that allows an attack on a single light fixture cannot be closed by a software update as it changes the hardware of the Philips home Makes lighting necessary.