Philips Smart Light Bulbs Can Be Exploited To Spread Malware

Over the last couple of years, consumers have gradually adopted smart speakers focused on the Internet of Things (IoT) and related accessories, such as lamps and other consumer electronics, we have shown how hundreds of commonly deployed smart-but-insecure gadgets made hacking into wireless networks simpler for remote attackers by cracking WiFi passwords.

Hackers will wreck your existence by getting connections to your wifi network that is also linked to your laptops, smartphones, and other smart devices.

whether it’s about leveraging bugs in the operating system and applications, or controlling network traffic, – attack depends on the connectivity between an intruder and the target computers.

Checkpoint experts today discovered a new high-severity flaw impacting Philips Hue Smart light bulbs in the latest analysis shared with the hacker news, which can be abused over-the-air from more than 100 meters away to gain access into a targeted wifi network.
They also confirmed that buffer overflow occurs on a component called the “bridge” which accepts remote commands sent from other devices, such as a mobile app or Alexa home assistant, to the bulb over Zigbee protocol.

The underlying high-severity flaw, monitored as CVE-2020-6007, lies in the way Philips introduced the Zigbee interaction specification in its smart light bulb, culminating in a heap-based buffer overflow problem.

Following procedure is used by the Phillip DIgital Bulb:

– An intruder gains possession of the smart bulb first by leveraging a newly found flaw.
– It renders the unit in the users ‘ control system’ Unreachable,’ goading them into reconfiguring the bulb and then trying to persuade the control bridge to reassert the bulb again.
– The bridge, with upgraded baseband, reveals the hack-controlled bulb, and the user contributes it back to their network.
– The intruder then utilizes the weaknesses of the ZigBee protocol to cause a pile-based buffer overflow over the command bridge, enabling it to mount vulnerabilities on the targeted bridge.

Check Point revealed those security issues wisely in November 2019 to Philips and Signify, proprietor of the Philips brand, who recently released a fully updated, patched firmware for the devices.
If inbuilt firmware patch download functionality is not permitted, it is advised that the affected customers manually configure patches and adjust configurations to instantly restore future releases.

Back to top button
Close