[HOME AUTOMATION] A flaw in Philips’ smart lights can lead to a backdoor to the rest of your devices

Vulnerabilities were detected in Philips’ Hue smart light bulbs, allowing hackers to inject malware or ransomware into the targeted network. Attackers at a distance of 100 meters from the target can exploit the flaw, named CVE-2020-6007, by infiltrating the light bulb to install malicious firmware. The cybersecurity agency Checkpoint describes the “process” as such: the attacker changes the brightness or color of the bulb to imitate a glitch, in response to which the user will have to reset the device from the mobile application. The victim will have no other choice than removing the lightbulb from the list of devices and selecting the “infected” one instead. This way, the hacker will be able to access the network onto which the victim’s other smart devices are connected, and exploit the existing flaw in the Zigbee protocol to trigger a heap-based overflow in the control bridge by saturating it with data. Attackers are then able to install infectious malware from there. Philips was alerted of the flaw and sent automatic updates to all its devices, in order to patch the vulnerability.