Those of you who own a Philips smart Hue lamp should read this article to protect yourself from being attacked by hackers.
With smart devices well into our daily lives, the risks data breaches have skyrocketed. Hackers are no longer trying to break into your computer but are finding new avenues through smart devices. Such an example was pointed out to us by researchers who this time found vulnerabilities in Philips' Hue Smart Light Bulbs.
Her researchers Check Point revealed today a new, high-vulnerability that affects Philips Hue Smart Light bulbs. This vulnerability, codenamed CVE-2020-6007, could allow hackers to access a targeted WiFi network from a distance of 100 meters.
The underlying vulnerability lies in the way Philips implemented the Zigbee communication protocol in its smart light bulb. ZigBee is a widely used wireless technology, designed to allow any device to communicate with any other device on the network. The protocol has been integrated into tens of millions of devices worldwide, including Amazon Echo, Samsung SmartThings, Belkin Emo and more.
The researchers did not disclose full technical details of the vulnerability in order to give affected manufacturers reasonable time to apply patches. However, they shared a video that showed her attack.
As seen in the video, in the attack scenario the hackers use a known bug (which has been detected in the past) to take control of the Hue lamp. This makes the device 'unreachable' to the users control application, forcing them to delete the lamp and then try to connect to it again.
The application on the mobile phone scans the area, checking for the existence of smart devices and thus discovers the hacker-controlled smart lamp with updated firmware. The user adds it back to his network.
The hackers then exploit the vulnerabilities of the ZigBee protocol to overload the cache of the Hue lamp-mobile phone-network connection, allowing them to install malware on that interface. Beyond that, hackers can use malware to infiltrate the network.
Η Check Point reported these vulnerabilities to Philips and Signify, owner of the Philips Hue brand, in November 2019, who just last month released an updated, patched firmware for the device.
If you do not have the firmware update feature enabled, we recommend that you install it manually immediately, and at the same time change the settings to refresh future updates.