Philips and the parent company Signify have solved a new vulnerability in smart Hue lamps. The vulnerability in question was identified by a CheckPoint Software researcher and demonstrates the possibility of how even smart lights can allow cyber criminals to access a home or corporate networks. This article has been updated with the official manufacturer's declaration.
The researchers discovered the possibility of taking control of a Hue lamp and installing malicious firmware. Once this is done, you can mess with light, change color and brightness. If the user tries to reset the lamp, deleting it from the app and reconnecting it, potential hackers would be able to distribute the firmware and exploit the ZigBee protocol to connect to the target company or home network. From here, it is potentially possible to spread ransomware and spyware on the network.
In November CheckPoint reported the problem to Philips and Signify and a specific patch (Firmware 1935144040) was released a few weeks ago. If the Philips Hue Hub is connected to the internet, the update should download automatically.
According to Signify, the vulnerability in question is not present in the Hue lamps produced in 2018 and following. "There is a very limited risk for users but they should always make sure that Philips Hue products are up to date with the latest versions of the software," said a Signify spokesman. Below is the official press release from the manufacturer on the matter:
The Checkpoint Security report we received last November and, a few weeks ago, we released a corrective update. The flaw identified by Checkpoint Security dates back to research conducted in 2017 and has now been largely resolved. Furthermore, in the hypothesis that an attacker wanted to take control of the Philips Hue bulbs, he should not only be near the place where the connected lighting system was installed but also be among the top experts in the field of social engineering. In practice, an attacker could exploit this vulnerability to their advantage by hacking the Philips Hue bridge by accessing a compromised light bulb. However, even before the search results were made public, we corrected the malfunction. Therefore, the risk of an attack within your home network is very reduced but, with the aim of reducing any unwanted intrusion, we recommend updating your Philips Hue products regularly
The site TheVerge reports that the Zigbee protocol has been used for exploits with other brands such as Amazon's Ring, Samsung's SmartThings, Honeywell thermostats and Comcast's Xfinity Home alarm system. The security of the Smart Home is increasingly an important problem with the growth in the home of devices such as Smart TV, a light switch, weather station, interactive toys and other objects connected to the internet.
From devices of this type it is possible to obtain a lot of personal data, some of which could be of certain interest to cyber criminals. It is advisable to check whether the manufacturer updates the firmware of the devices, setting automatic updates whenever possible. It is also good to rely on well-known brands, not only to avoid vulnerabilities but also to have the certainty of certain and constant updates over time.
All the macitynet articles that talk about security are available from this page. instead for all the articles dedicated to smart, home automation and smart home accessories are available from this page.