Flaw in Philips Smart Light Bulbs Exposes Your WiFi Network to Hackers

Posted by & filed under Ειδοποιήσεις.

There are over a hundred potential ways hackers can ruin your life by having access to your WiFi network that’s also connected to your computers, smartphones, and other smart devices.

Whether it’s about exploiting operating system and software vulnerabilities or manipulating network traffic, every attack relies on the reachability between an attacker and the targeted devices.

In recent years, we have seen how hundreds of widely used smart-but-insecure devices made it easier for remote attackers to sneak into connected networks without breaking WiFi passwords.

In the latest research shared from Check Point experts today revealed a new high-severity vulnerability affecting Philips Hue Smart Light Bulbs that can be exploited over-the-air from over 100 meters away to gain entry into a targeted WiFi network.

The underlying high-severity vulnerability, tracked as CVE-2020-6007, resides in the way Philips implemented the Zigbee communication protocol in its smart light bulb, leading to a heap-based buffer overflow issue.

ZigBee is a widely used wireless technology designed to let each device communicate with any other device on the network. The protocol has been built into tens of millions of devices worldwide, including Amazon Echo, Samsung SmartThings, Belkin Emo and more.

“Through this exploitation, a threat actor can infiltrate a home or office’s computer network over-the-air, spreading ransomware or spyware, by using nothing but a laptop and an antenna from over 100 meters,” the Check Point researchers said.

Check Point also confirmed that the buffer overflow happens on a component called the “bridge” that accepts remote commands sent to the bulb over Zigbee protocol from other devices like a mobile app or Alexa home assistant.

How Does Philips Smart Bulbs Vulnerability Work?

Though researchers choose not to reveal complete technical details or PoC exploit for the flaw at this moment to give affected users enough time to apply patches, they did share a video demonstrating the attack.


Video source(CheckPoint Official Youtube Channel): https://www.youtube.com/watch?v=4CWU0DA__bY


As shown in the video, the attack scenario involves:

  1. By exploiting a previously discovered bug, an attacker first takes control over the smart bulb.
  2. This makes the device ‘Unreachable’ in the users’ control app, tricking them into resetting the bulb and then instructing the control bridge to re-discover the bulb.
  3. The bridge discovers the hacker-controlled bulb with updated firmware, and the user adds it back onto their network.
  4. The hacker then exploits the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, allowing him to install malware on the bridge that’s connected to the targeted network.
  5. The hacker can use malware to infiltrate the network, eventually leaving millions of other devices connected to the same network at risk of remote hacking.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” Yaniv Balmas, Head of Cyber Research at Check Point Research,

Check Point responsibly reported these vulnerabilities to Philips and Signify, owner of the Philips Hue brand, in November 2019, who just last month released an updated, patched firmware for the device.

“It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex cyberattack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

If automatic firmware update download feature is not enabled, affected users are recommended to manually install patches and change settings to revive future updates automatically.


The information contained in this website is for general information purposes only. The information is gathered from THE HACKER NEWS, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.