Zigbee Security vulnerability that affected Hue Smart bulbs has been patched

News
By published
Philips Hue
Philips Hue (Image credit: Lory Gil/iMore)

What you need to know

  • A security vulnerability found in some smart bulbs could have given hackers access to the local host network it was connected to.
  • The flaw relates to the Zigbee communication protocol, used by devices such as Philips Hue bulbs.
  • Check Point found that a 2017 vulnerability could in fact be used to launch attacks on a conventional computer network, thankfully it's now been fixed.

A security flaw in the Zigbee communication protocol used by Smart bulbs could have been used to launch attacks on conventional computer networks in homes and businesses. Thankfully, it's now been fixed.

According to Check Point, they explored whether a vulnerability found in 2017 could, in fact, be used to gain access to the host network that the device was connected too. The answer? Yes. The issue has now been patched, so checking your firmware would be a very good idea.

The report notes:

Continuing from where the previous research left off, Check Point's researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices. With the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, the researchers were able to take control of a Hue lightbulb on a target network and install malicious firmware on it. From that point, they used the lightbulb as a platform to take over the bulbs' control bridge, and attacked the target network as follows:

  1. The hacker controls the bulb's color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as 'Unreachable' in the user's control app, so they will try to 'reset' it.
  2. The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
  3. The bridge discovers the compromised bulb, and the user adds it back onto their network.
  4. The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
  5. The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.

If that didn't make sense, here's' a video:

Check Point told Philips and Signify (Philips Hue's parent company) about the vulnerability in November 2019. A recent firmware patch [Firmware 1935144040] is now available on their site and was issued as an automatic update, so you just need to double-check your firmware.

Check Point plans to release the full technical details of its research in the coming weeks, once everyone has had time to safely update their products.

Stephen Warwick
Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design. Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9

Latest in Security
iPhone 15 Plus review
Recent Apple iPhone spyware alerts could have been triggered by China-linked attacks, researchers say
Google One VPN on iPhone
Google is about to give iPhone owners a privacy and security headache as it prepares to shut down another key service
iCloud Keychain on iPad
I can finally use iCloud Keychain and ditch 1Password thanks to this key new feature
At home with 15-inch MacBook Air, on a mosaic balcony table and on a wooden floor.
Old-school Mac malware is hiding in plain sight in this productivity app
M2 Macbook Pro 13 Inch Hero
Researcher claims a key Mac security feature can be bypassed and Apple won't fix it
macOS Ventura Passkeys
The apple.com website adds passkey support, but there's a catch
Latest in News
iMore Logo
One more thing… Goodbye from iMore
Jony Ive
Jony Ive’s OpenAI hardware device could be his next world-changing design
NEBULA Cosmos 4K SE with Apple TV
This new 4K projector is tempting me to replace my LG C2 TV, just so I can watch Slow Horses on a 200-inch display
VisionOS 2 app reorganization
visionOS 2 is the first major software update for Apple Vision Pro, and now it's available
macOS Sequoia
macOS Sequoia (version 15) is now available for your Mac with some big upgrades
watchOS 11
watchOS 11 is now rolling out to all Apple Watch users with the Series 6 or newer
More about security
iPhone 15 Plus review

Recent Apple iPhone spyware alerts could have been triggered by China-linked attacks, researchers say
Google One VPN on iPhone

Google is about to give iPhone owners a privacy and security headache as it prepares to shut down another key service
iMore Logo

One more thing… Goodbye from iMore
See more latest