Check Point Research has revealed vulnerabilities that can enable a hacker deliver ransomware or other malware to business and home networks by taking over smart lightbulbs and their controller. The threat intelligence arm of cybersecurity solution provider, Check Point Software Technologies Ltd, has identified a novel hack where threat actor will only need a laptop and an antenna to execute the hack, when anywhere beyond 100 metre.
"Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware. In today's complex fifth-generation attack landscape, we can't afford to overlook the security of anything that is connected to our networks," says Yaniv Balmas, Head of Cyber Research, Check Point Research.
The attack method exploits vulnerabilities in Zigbee, an open communication standard that operates wirelessly in several smart home devices and is commonly used by Amazon Echo Plus, Samsung SmartThings, Belkin WeMo, amongst other smart home devices. Check Point researchers demonstrated the hack on the Philips Hue smart light bulb, which relies on the Zigbee protocol.
The hacker controls the bulb's colour or brightness to trick users into thinking the bulb has a glitch. The bulb appears as 'unreachable' in the user's control app, which they usually try to 'reset'. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb. The bridge discovers the compromised bulb, and the user adds it back onto their network. The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge - which is in turn connected to the target business or home network. The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
Some security tips to keep the smart devices safe include fully patching the devices, ensuring that the devices are automatically updated when new firmware is released. One should also be on the alert for any out of the ordinary behaviour of the IoT devices. And offices should segregate the IoT devices to a different network/VLAN.
Researchers focused on the market-leading Philips Hue smart bulbs and bridge and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices. The research was done with the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University. This was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify confirmed existence of the vulnerability in their product and issued a patched firmware version (Firmware 1935144040) which is now via an automatic update.
"We are committed to protecting our users' privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Check Point, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk" says George Yianni, Head of Technology Philips Hue.
Check Point recently acquired an on-device IoT security technology that allows the organisation to mitigate device level attacks before devices are compromised utilising on-device run time protection. In October last year, there was a study that suggested suggesting infrared-enabled smart lights vulnerable to be used by hackers to either steal data or spoof other connected devices.