Hue light bulbs vulnerability

4 Likes

Have you found anything about how the ethernet network is affected? I cannot really see any description of that.
The first article has a link to the whole article about the original 2016-2017 solution. 18 pages, but explains what and how they did. Amazing work.
But how this will be resolved by any manufacturer? And how in an ecosystem like SmartThings?

@jkp, thanks.

Just as a quick game with the idea. Imagine what if a code like this is already in many cheap Chinese products. Being battery or line powered. You don’t have to even hack a bulb with fancy equipment. You have already deployed it, and just need to set one off.
It makes me think that what should I use instead of Zigbee? Zwave? Or Wifi?
Zwave has issues when devices degrade communication to S0, as I read it regarding the Yale locks yesterday.
Wifi has it’s own issues considering physically tampared devices could have inject harmful code to your network directly. (There was an article about tampered e-fuses in ESP based devices, or basically any device which uses wifi and has e-fuse part.)
What about BLE? Is it safe or safer? Maybe Weave or Thread? But all runs in the same frequency range. A Zigbee mass jamming of 2.4GHz frequencies with test tones would eradicate that too.

So what standard then?

Nothing you can do about mass jamming, it doesn’t even have to be in the same frequency. But it Has to be physically nearby and it’s super easy to find while it’s broadcasting, so it can be shut down very quickly. At the present time that’s just not a practical attack vector unless you have a zillion local guerillas rushing around from place to place. So that one’s really only something to worry about if you’re in a full-scale war or a riot. In which case you probably have other things to worry about. :scream:

The malware issue is more complicated. Your best bet is to only buy from authorized vendors, never buy anything from Ali Baba or Alibaba express, never buy from third parties on eBay or Amazon. Doesn’t mean it won’t happen, but it’s much less likely to.

The most secure widely deployed DIY home automation protocol at this point is HomeKit if you use only the fully tested devices, but obviously even that isn’t perfect.

In this specific case, remember again that the hacker Has to be physically within zigbee range of your home, So say 100 feet, and has to be willing to stay there Long enough to go through what is a fairly complex multi step process. If you think you might be individually targeted because you’re a celebrity or wealthy or you have a malicious ex, it’s something to be aware of. Or you are a business who might be the target of ransomware. But otherwise it’s not likely to affect anyone in the real world, and Hue has already released the patch for their bridge.

3 Likes

My Hue bulbs are not connected to a Hue bridge. Am I correct to assume the bridge is required to exploit this weakness?

The weakness is intrinsic to the zigbee protocol. The bridge isn’t a requirement for that.

The question is whether the malware itself would run on something other than a Hue bridge and my guess is that it was designed for the Hue Bridge. So with this specific exploit, you’re probably OK. But there might be a very similar one that could attack via a smartthings hub.

BTW, this type of thing is exactly why I don’t run my home automation system on the same network as my laptop. But that’s just me. :wink:

HomeKit is preparing the release of a new router integration which will isolate home automation devices from the homeowner’s other systems. Which at least shows that some companies have been thinking about this issue for some time. :sunglasses:

2 Likes

Yep, agreed. I have a guest WiFi SSID setup that has my IoT devices connected to it, with a completely randomized password to keep it all separate from my main network.

1 Like

I love these under described articles.

Researchers were able to take control of a Hue lightbulb on a network, install malicious firmware on it and propagate to other adjacent lightbulb networks. While the vendor was able to fix the propagation vulnerability, attackers could still take over a target’s Hue lightbulb. Using this remaining vulnerability, Check Point researchers took this work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately, attack the target’s computer network.

Hasn’t been the TouchLink issue resolved? Hue hasn’t upgraded their firmware protection?

If yes, then literally any bulb would be good for this, and some would be even able to spread if the TouchLink solution is not fixed. (Ie.: IKEA, GE or Cree bulbs)
I honestly don’t understand how the bulb can update any code on the Hub, but might be forcing the Hub with some kind of overflow to start a reboot or something similar where it could have access a different layer of the SoC to execute/change code. But then it doesn’t matter what network is the Hub is on, because it could be used for a DDoS attack, not just for ransomware or malware.

But where you put a line between Home Automation and other devices? I remember @JDRoberts mentioned 3 networks before, but where you put a line for Entertainment, as Google Home/Amazon Alexa devices, Smart TVs and connected speakers. As all comes under the Home Automation too.

The original Publication from 2016 suggest up to 400 meter, if I read correctly, and the new firmware just had to be deployed once.

The publication:
https://eyalro.net/publication/rosw17.html

PDF here:

Different exploit which was fixed in 2016. The new one has multiple steps.

One) hijack a bulb on the victim’s network. Install malware on it. Note that it is not connected to the victim’s network anymore.

  1. use the attacker’s ability to control that bulb to make it flicker on and off or change colors randomly, getting the victim’s attention.

  2. wait until the victim decides to delete the bulb entry from their own network and then reinstall it. no telling how long this will take, some people will do it immediately, others won’t even know that they can.

  3. After the Bulb has been added back to the victim’s network, wait for the malware to infect the bridge. How long this takes depends on a number of system factors and there are, in fact, some protection programs which can prevent it.

  4. wait for the malware to spread from the bridge to a laptop connected to the same Wi-Fi. Again, how long this takes depends on a number of different factors and there are some protection programs which can prevent it.

  5. once the laptop has been successfully infected, the attacker can get information from it. Although again there are some protection programs which might block transmission.

So you can see there are multiple steps over an indeterminate time frame.

And, Hue already has a patch out in the field which should prevent the malware from infecting the bridge. If you have a hue bridge and you haven’t already updated, you should do so. That will shut down the attack vector for Phillips hue devices.

1 Like

@JDRoberts, if I understand it correctly it does link to the bulb and removes it from the network, so the user has to re-pair it.

UPDATE: I haven’t seen you full post.

It requires only one level interaction, than everything can be automated.

  1. Infect
  2. Wait until the user adds it to the network again.
    Between 1 and 2 you could set the bulb to behave weirdly, randomly by the firmware. After point 2 everything can run automatically too. Like spreading the infected firmware to other bulbs and hacking the bridge.

But thinking of the use cases of the article, one of them is breaking all devices on the network what can be infected, or strobe the lights to cause epileptic seizures. (And it doesn’t matter what controller you are using.)

The patch for the Hue hub is another story. But what if you use these bulbs with any other Zigbee hub/bridge. (Let’s not talk about the Tuya or Xiaomi/Aqara hubs now…)
But SmartThings or Hubitat could have similar vulnerabilities through the zigbee or zwave networks.

By the way, isn’t the Hue bridge HomeKit compatible?

That’s correct, that’s in step one of my post above. The initial attack on the bulb removes it from the victim’s network and gives the attacker control over that bulb, but nothing else.

That’s why in step three the attacker has to wait for the victim to add the now infected bulb back into the victim’s network, the attacker cannot force that step.

I’d like to chat about this one a bit more. While it’s on a different wifi network, it still comes into the same Ethernet network, right? Isn’t the better/safer bet to have a separate wifi router for IOT? Even look at setting vlans up for those different routers? I’m not there yet,myself. But something I’m thinking of.

I will say, my orbi allows my guest wifi to block seeing other devices on that wifi. While good, it does throw some wrenches into some automations with Logitech, Alexa, etc

Yeah, you’re definitely right. I’m not at this point yet, so the st v3 hub and the hue bridge are still plugged in to the router. And because of that, all the Alexa devices are on the main network. I’ve been considering moving both to the other end of the house and plugging them straight into an AP so they are on that guest network too. I just, until this point, never really felt the hue bridge, specifically, would be a concern. I’ve almost completely replaced all WiFi devices with more local options (zwave and zigbee) but the ones I still have, like a meross outdoor plug, lyric t5+ thermostat, roborock e35, coffee maker etc are going to remain separate. I’ve got some work to do lol

@JDRoberts, look what I have found. You must be able to see the future.

1 Like

There is another research by Check Point, a follow up of the previous one, with really detailed explanation.

This exploit still requires that the attacker

One) be physically pretty close to the target, within about one block

Two)

our vulnerability mandates that we trick the user into searching for new lightbulbs, which is not exactly an easy step.

So the hacker has to be after you specifically, and then you have to see a Hue Bulb acting weirdly and decide to reset it at that time.

So as a real life exploit, it’s pretty limited. People who believe they might individually be a target should be aware of this, but it’s not a big issue for the general public.

1 Like

Or receive an unsolicited gift from a company to your post box. (In form of a Hue light bulb. Not as a bag of seeds!)

1 Like