If your smart light bulbs blink twice, they may be trying to tell you they’re under duress.
A vulnerability reported Wednesday by security firm Check Point could allow that to happen—along with hacks of other smart-home gadgets that employ the same widely used underlying Zigbee wireless protocol.
That’s “could” instead of “will” because Signify, the company behind the Philips-branded line of Hue smart bulbs, already patched that flaw in the firmware of the bridge base stations required by many of those connected lights. And since the Hue mobile apps come preset to install updates automatically, that patch should already be on every Hue bridge.
Does that make this a feel-good security story? No. The vulnerability documented by Tel Aviv-based Check Point Software Technologies relies on a common attack technique, and too many internet-of-things gadgets don’t come with automatic software updates. Check Point isn’t singling out any other devices as being vulnerable, but the list of Zigbee-certified hardware is long indeed.
A video posted by Check Point shows how it can work. As eerie music plays, the Hue bulb in a house starts changing colors and going on and off on its own—a sign that the attacker has exploited the flaw in an unpatched bridge to seize control. The attacker uses the infected bridge to take over a Windows 7 laptop plugged into it.
“I’m inside your home network and I can do whatever I want,” sums up Yaniv Balmas, head of cyber research at Check Point.
The attacker does not need to be inside a home or office or even on the same wireless network as the target; instead, connecting a special antenna into a laptop from as much as 330 feet away can allow breaking into the Zigbee radio-frequency communications between the bridge and Hue bulbs.
“Zigbee is a complex protocol,” says Balmas. “The problem, as always, is with the implementation.”
In this case, Check Point found that a buffer-overflow attack sufficed to get hostile code running on a Hue bridge. This is a common technique in which the attacker sends an unexpected amount of data to a program expecting input of a particular size.
(Some newer Hue smart-bulb kits don’t require a bridge; this bug does not appear to affect them.)
Old problem, new targets
The same basic buffer-over low tactic allowed the Heartbleed vulnerability that left holes in the security of a large fraction of the web sites online almost six years ago. No, developers haven’t learned to close that hole. As Balmas puts it, “buffer overflows are everywhere.”
Yaniv Balmas, Check Point
They should be more clear with their customers about exactly what was found.”
Check Point credited Signify for responding promptly and professionally to its report, resulting in a firmware update being pushed out to Hue bridge users on January 23.
The release notes for that patch, however, betray a common failing of the software industry by providing no useful information about their contents. They read, in full: “We regularly update your Hue Bridge to improve the performance and reliability of the system.”
But it has far too much company in that habit of not documenting security patches, in effect inviting uses to put off installing what appear to be noncritical updates. When Twitter patched a vulnerability in its Android app that it considered severe enough to warrant an email to users, the release notes for that December 20 bug fix read: “We made improvements and squashed bugs so Twitter is even better for you.”
Check Point’s Balmas agrees: “They should be more clear with their customers about exactly what was found.”
But at least Signify responded correctly to Check Point’s report and had already instituted an automatic-updates policy. (To see if your Hue bridge has been patched, open the Hue app and tap Settings and then “Software update.”)
That company also documents a vulnerability-disclosure policy, a key step many gadget vendors fail to take that can leave security researchers unclear on how to communicate their findings to the right people.
Many other IoT vendors probably aren’t exercising as much care.
“We can’t possibly research each and every device,” warns Balmas. “If you’ll ask me if other devices suffer from the same or similar vulnerability, my answer will probably be yes.”