A new report from Check Point Research has revealed vulnerabilities in smart lightbulbs that could lead to a hacker delivering ransomware or other malware to businesses or home networks.
The research showed how a hacker could exploit an internet of things (IoT) network through Philips Hue smart bulbs and bridge and use these smart home devices to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.
In its analysis, Check Point was able to take control of a Philips Hue lightbulb on a network, install malicious firmware on it and spread it to other adjacent lightbulb networks. The researchers then went one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately attack the computer networks.
“This actually shows that smart bulbs should be seen as a normal and complex smart home device with processing, I/O, storing capabilities,” Shen Wang, senior analyst for LEDs and lighting at IHS Markit told Electronics360. “Since this problem is discovered, I am sure Signify will soon update those with new firmware.”
While this is something that could be a problem inside a home, it could apply to all application locations as long as the bulbs are smart enough, have a gateway from ZigBee to a network and have complex firmware in these bulbs, Wang said.
According to Lee Ratliff, senior principal analyst for connectivity and IoT at IHS Markit, this is the second time ZigBee smart bulbs have been found to have a security exploit. The first time was in 2016 when researchers demonstrated they could take over an entire ZigBee network from outside of an office building using a drone.
“Philips patched that flaw, but apparently another one has been found,” Ratliff said, calling it “security whack-a-mole.”
IoT security still a problem
Flaws in IoT devices have been problematic for years and began not too long after the rise in popularity of smart speakers, smart thermostats and security cameras.
This all came to a head in 2016 when hackers compromised surveillance cameras and entertainment systems found inside smart homes and operated a coordinated distributed denial of service (DDoS) attack that brought down websites including PayPal, Twitter, Amazon, Netflix, Spotify, Reddit and many others.
Since that time, other flaws have been found in IoT devices that could compromise networks leading to about 70% of consumers who own smart home devices to fear hacking due to lack of security in the devices. Analysis from Forrester Research found that about 500,000 IoT devices were suspected of suffering some sort of compromise in 2017.
Insight from Tanner Johnson, senior analyst for connectivity and IoT at IHS Markit, indicates that IoT OEMs continue to engage in insecure practices when designing smart home devices. This is mostly because security is not cheap and the fastest way to get a product to market is to skimp on security measures. In tests of low-cost smart bulbs, 90% were developed without security in mind, with similar vulnerabilities found in each lightbulb.
“Unfortunately, many of the risks introduced through these insecure design practices carry secondary consequences that pose their own unique threats,” Johnson wrote in his analysis.
In the teardown of lightbulbs, it was found that Wi-Fi credentials for a host network were stored onboard without any form of encryption to conceal the network password. “While this flaw poses serious security risks on its own, these poor security design practices are only exacerbated by the proclivity for individuals to simply discard similar devices if they malfunction,” Johnson said.
Homeowners are likely to simply toss out used smart bulbs, allowing a patient hacker to comb through a dumpster, plug the device into a computer and extract the network credentials. This could be a risk in homes, hospitals and even military bases.
In order to improve this situation, both OEMs and end-users should be responsible for safe data protection practices. This begins with more security measures put in place in the device itself and homeowners and businesses being more responsible with what happens to these devices — lightbulbs or otherwise. If an end user is unaware or unable to know the protections provided, it could lead to vulnerabilities happening despite security features provided by the OEM, Johnson said.
How they do it
Check Point detailed how a hacker could gain control of a network using a smart lightbulb. First, a hacker uses the color or brightness to trick users into thinking the bulb has a glitch and appears unreachable in the user’s app. As a user tries to reset the device, they must do it from the app and instruct the control bridge to rediscover the bulb.
When the bridge discovers the compromised bulb, it adds it back into the network and the hacker-controlled bulb with updated firmware uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge by sending a large amount of data to it. This data enables the hacker to install malware on the bridge, which is then sent to target businesses or home networks. Finally, the malware connects back to the hacker and they are able to infiltrate the target IP network from the bridge to spread ransomware or spyware.
“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, head of cyber research at Check Point Research. “It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
The good news is companies are working on it as Check Point disclosed the vulnerabilities to Signify, which owns the Philips Hue brand, in November of last year and Signify confirmed the existence of the vulnerability in the product and issued a patched firmware version, which is now available.
Additionally, Wang said that consumers shouldn’t worry too much about this as it is very difficult to hack into a smart lightbulb technically. “It is also much easier to hack via internet than ZigBee which is a short-range protocol,” Wang said. “So, it is a good thing that people know the risk possibilities and I believe companies will try to fix those vulnerabilities.”