The light given off by some WiFi light bulbs may expose more than just a dark room as Check Point researchers have found a vulnerability in Philips Hue smart bulbs and bridge enabling them to remotely infiltrate the device.

The specific
vulnerability is CVE-2020-6007
a Heap-based Buffer Overflow that occurs when handling a long ZCL string during
the commissioning phase, resulting in a remote code execution. Check Point’ Institute
for Information Security team was able to take control of a light bulb and
install malware enabling them to take over the device’s control bridge and
attack the network.

The overall
process to abuse the vulnerability is a bit convoluted and requires some action
on the part of the homeowner.

According to

  1. The hacker
    controls the bulb’s color or brightness to trick users into thinking the bulb
    has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so
    they will try to ‘reset’ it.
  2. The only way to
    reset the bulb is to delete it from the app, and then instruct the control
    bridge to re-discover the bulb.
  3. The bridge
    discovers the compromised bulb, and the user adds it back onto their network.
  4. The
    hacker-controlled bulb with updated firmware then uses the ZigBee protocol
    vulnerabilities to trigger a heap-based buffer overflow on the control bridge,
    by sending a large amount of data to it. This data also enables the hacker to
    install malware on the bridge – which is in turn connected to the target
    business or home network.
  5. The malware
    connects back to the hacker and using a known exploit (such as EternalBlue),
    they can infiltrate the target IP network from the bridge to spread ransomware
    or spyware.

The bulb’s manufacturer
Philips and Signify were notified and have pushed out a firmware