In recent years, we have seen how hundreds of widely used smart-but-insecure devices made it easier for remote attackers to sneak into connected networks without breaking WiFi passwords.
The underlying high-severity vulnerability, tracked as CVE-2020-6007, resides in the way Philips implemented the Zigbee communication protocol in its smart light bulb, leading to a heap-based buffer overflow issue.
ZigBee is a widely used wireless technology designed to let each device communicate with any other device on the network. The protocol has been built into tens of millions of devices worldwide, including Amazon Echo, Samsung SmartThings, Belkin Emo and more.
Check Point also confirmed that the buffer overflow happens on a component called the "bridge" that accepts remote commands sent to the bulb over Zigbee protocol from other devices like a mobile app or Alexa home assistant.
How Does Philips Smart Bulbs Vulnerability Work?
Though researchers choose not to reveal complete technical details or PoC exploit for the flaw at this moment to give affected users enough time to apply patches, they did share a video demonstrating the attack.
The attack scenario involves:
- By exploiting a previously discovered bug, an attacker first takes control over the smart bulb.
- This makes the device 'Unreachable' in the users' control app, tricking them into resetting the bulb and then instructing the control bridge to re-discover the bulb.
- The bridge discovers the hacker-controlled bulb with updated firmware, and the user adds it back onto their network.
- The hacker then exploits the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, allowing him to install malware on the bridge that's connected to the targeted network.
- The hacker can use malware to infiltrate the network, eventually leaving millions of other devices connected to the same network at risk of remote hacking.
Check Point responsibly reported these vulnerabilities to Philips and Signify, owner of the Philips Hue brand, in November 2019, who just last month released an updated, patched firmware for the device.