Security News > 2020 > February > Time to patch your lightbulb? Researchers demonstrate Philips Hue exploit
Researchers at Check Point have demonstrated how to infect a network with malware via a simple IoT device, a Philips Hue smart lightbulb.
One is CVE-2020-6007 which is a buffer overflow in the Philips Hue Bridge controller firmware, in the part of the software that adds new devices to the controller.
The EternalBlue exploit is successfully used against a Windows PC. Philips has already made a patch available for its Hue Bridge, but Check Point said it was postponing "The release of the full technical details" to give more time for it to be downloaded and installed on affected products.
"By flying such a drone in a zig-zag pattern high over a city, an attacker can disable all the Philips Hue smart lamps in city centers within a few minutes," it said.
What may give pause for thought is that the Philips Hue devices are described as "Very hard targets for finding and exploiting software vulnerabilities" by the 2016 researchers, but still proved to be vulnerable.
News URL
Related news
- Exploit code released for critical Ivanti RCE flaw, patch now (source)
- Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-23 | CVE-2020-6007 | Out-of-bounds Write vulnerability in Philips HUE Bridge V2 Firmware Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution. | 7.9 |