Rob Pegoraro* says light bulbs and other popular smart-home gadgets are vulnerable to an old, but potent, form of cyberattack.
If your smart light bulbs blink twice, they may be trying to tell you they’re under duress.
A vulnerability reported recently by security firm Check Point could allow that to happen — along with hacks of other smart-home gadgets that employ the same widely used underlying Zigbee wireless protocol.
That’s “could” instead of “will” because Signify, the company behind the Philips-branded line of Hue smart bulbs, already patched that flaw in the firmware of the bridge base stations required by many of those connected lights.
And since the Hue mobile apps come pre-set to install updates automatically, that patch should already be on every Hue bridge.
Does that make this a feel-good security story?
No.
The vulnerability documented by Tel Aviv–based Check Point Software Technologies relies on a common attack technique, and too many Internet of Things (IoT) gadgets don’t come with automatic software updates.
Check Point isn’t singling out any other devices as being vulnerable, but the list of Zigbee-certified hardware is long indeed.
A video posted by Check Point shows how it can work.
As eerie music plays, the Hue bulb in a house starts changing colours and going on and off on its own — a sign that the attacker has exploited the flaw in an unpatched bridge to seize control.
The attacker uses the infected bridge to take over a Windows 7 laptop plugged into it.
“I’m inside your home network and I can do whatever I want,” sums up Yaniv Balmas, head of cyber research at Check Point.
The attacker does not need to be inside a home or office or even on the same wireless network as the target; instead, connecting a special antenna into a laptop from as much as 100 metres away can allow breaking into the Zigbee radio-frequency communications between the bridge and Hue bulbs.
“Zigbee is a complex protocol,” says Balmas.
“The problem, as always, is with the implementation.”
In this case, Check Point found that a buffer-overflow attack sufficed to get hostile code running on a Hue bridge.
This is a common technique in which the attacker sends an unexpected amount of data to a program expecting input of a particular size.
(Some newer Hue smart-bulb kits don’t require a bridge; this bug does not appear to affect them.)
Old problem, new targets
The same basic buffer-over low tactic allowed the Heartbleed vulnerability that left holes in the security of a large fraction of the websites online almost six years ago.
No, developers haven’t learned to close that hole.
As Balmas puts it: “Buffer overflows are everywhere.”
The last part of the attack shown in the Check Point video, the remote compromise of the laptop, relies on another old bug, the EternalBlue vulnerability behind the WannaCry ransomware outbreak of 2017.
The laptop in the clip ran Windows 7 because Windows 10 defeats that attack — as should a Win 7 machine that’s been kept current with Microsoft’s security patches, something too many users fail to do.
Check Point credited Signify for responding promptly and professionally to its report, resulting in a firmware update being pushed out to Hue bridge users on 23 January.
The release notes for that patch, however, betray a common failing of the software industry by providing no useful information about their contents.
They read, in full: “We regularly update your Hue Bridge to improve the performance and reliability of the system.”
Signify — spun off from Philips in 2016 to focus on lighting technology — did not respond to an email inquiry sent to its publicist about the vague release notes.
But it has far too much company in that habit of not documenting security patches, in effect inviting uses to put off installing what appear to be noncritical updates.
When Twitter patched a vulnerability in its Android app that it considered severe enough to warrant an email to users, the release notes for that 20 December bug fix read: “We made improvements and squashed bugs so Twitter is even better for you.”
Check Point’s Balmas agrees: “They should be more clear with their customers about exactly what was found.”
But at least Signify responded correctly to Check Point’s report and had already instituted an automatic-updates policy.
(To see if your Hue bridge has been patched, open the Hue app and tap Settings and then “Software update.”)
That company also documents a vulnerability-disclosure policy, a key step many gadget vendors fail to take that can leave security researchers unclear on how to communicate their findings to the right people.
Many other IoT vendors probably aren’t exercising as much care.
“We can’t possibly research each and every device,” warns Balmas.
“If you’ll ask me if other devices suffer from the same or similar vulnerability, my answer will probably be yes.”
* Rob Pegoraro is a computing journalist. He tweets at @robpegoraro.
This article first appeared at www.fastcompany.com.
