Security News > 2020 > February > Time to patch your lightbulb? Researchers demonstrate Philips Hue exploit

Time to patch your lightbulb? Researchers demonstrate Philips Hue exploit
2020-02-05 20:16

Researchers at Check Point have demonstrated how to infect a network with malware via a simple IoT device, a Philips Hue smart lightbulb.

One is CVE-2020-6007 which is a buffer overflow in the Philips Hue Bridge controller firmware, in the part of the software that adds new devices to the controller.

The EternalBlue exploit is successfully used against a Windows PC. Philips has already made a patch available for its Hue Bridge, but Check Point said it was postponing "The release of the full technical details" to give more time for it to be downloaded and installed on affected products.

"By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lamps in city centers within a few minutes," it said.

What may give pause for thought is that the Philips Hue devices are described as "Very hard targets for finding and exploiting software vulnerabilities" by the 2016 researchers, but still proved to be vulnerable.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/02/05/time_to_patch_your_lightbulb_researchers_demonstrate_philips_hue_exploit/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-01-23 CVE-2020-6007 Out-of-bounds Write vulnerability in Philips HUE Bridge V2 Firmware
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
high complexity
philips CWE-787
7.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Philips 111 24 58 22 3 107