Your internet-connected light bulbs may be doing more than illuminating your home: They could also be serving as an open invitation to hackers.

Security firm Check Point Research has released its findings that many Philips Hue smart light bulbs have a flaw in their firmware, which allows attackers to take control of an individual bulb, push malicious firmware to it, and spread other malicious software throughout a network.

If successful, an attacker utilizing this exploit can load malware onto the Internet of Things (IoT) bridge the target bulb connects to, and from there it can “infiltrate the target IP network from the bridge to spread ransomware or spyware,” Check Point said.

SEE: Amazon Alexa: Cheat sheet (free PDF) (TechRepublic)

How this smart bulb attack works

The actual exploit comes from the Zigbee low-power IoT protocol that Philips, and many other IoT product manufacturers, use for device communication.

The Zigbee exploit was first reported by independent researchers in 2017, and Check Point said it used the same method in late 2019 to test the vulnerability. Two years on, and the exploit still works.

The actual attack, from start to network malware propagation, looks like this:

  1. An attacker gains control of an individual bulb using the Zigbee exploit, and pushes malicious malware to it.
  2. The attacker changes the bulbs color or brightness to trick the network owner into thinking the bulb is glitched.
  3. The only way to fix a glitched smart bulb is to remove it from a network, and then re-add it. At this point the target has to do just that.
  4. Once re-added, the malicious firmware on the bulb triggers a massive data dump to the IoT control bridge. The data sent can include other malicious software, command and control software for future attacks against the network, and more.
  5. With an IoT bridge now infected, the attacker is free to begin moving through the victim network.

Preventing a smart bulb attack

Check Point notified Philips of the exploit in late 2019, and the company has already released firmware updates for its Hue line of smart bulbs that should make them immune to the Zigbee exploit.

With that in mind, it’s essential to remember that firmware (usually) doesn’t update itself. If you own Philips Hue smart bulbs, or any other smart bulbs for that matter, make sure you’re using the bulb app to regularly check for updates and be sure to always install them.

It’s also worth mentioning that there’s a human element to the attack: It requires someone with access to the target network to reconnect a compromised bulb to complete the attack.

Check Point mentioned that an infected bulb won’t show up in a list of devices because the attacker has already taken control of it, thereby removing it from the list of known devices.

If you encounter a situation where one of your smart bulbs is acting strangely and you can’t find it in a list of connected devices you may want to unplug it and reconnect it on a test network where none of your actual devices are at risk.

Light bulbs for a gift? Sure, why not. These connected smart bulbs from Philips will work with Amazon Alexa, Apple HomeKit or Google Assistant. The starter kit is $149.99 for a white ambiance starter kit, and $199.99 for a white and color ambiance starter kit.
Image: Philips