Security company hacks Zigbee bulb and plants malware on your PC

[petergebruers 1,268]

I've always thought it would be difficult to use a "zigbee" or "z-wave" device to "hack your home network" because you would think there is a "big separation gap between your Zigbee lamp and your computer".

 

Seems like someone did it... And it is interesting how they chained together everything. In my words:

 

- The hacker takes control of the bulb (they don't say how) and make the bulb update (malicious) firmware. This removes the lamp from the Hue, but the hacker controls the bulb and makes it flicker.

- The end-user cannot find a way to control this bulb, so resets the lamp, which then rejoins the Hue hub.

- The malicious firmware sends specially crafted zigbee packets to the Hue hub and causes a "buffer overflow".

- The buffer overflow causes the hub to run arbitrary code. In their demo video, they use a Windows vulnerability to control a PC.

 

One could argue, this is still mainly a vulnerability of an IP and internet connected device and a know category (buffer overflow) of attack... But still... Using a smart light bulb to trigger the attack is novel to say the least.

 

This is posted by a security company, and they say Signify has patched the Hue bridge, so it is safe to disclose the issue.

 

Please login or register to see this link.

 

They are trying to sell their products and I have no opinion on that... I merely point out the "funny" idea of "My PC got hacked through a Zigbee light bulb". If someone tells you this at a party, don't laugh, it might be true

[Sjakie 156]

Peter, nice!

How to avoid automatic update?

In the early days the update could be done manually.

Windows 10 doest allow unable to switch off automatic updates. Mostly when my laptop is crashed because of an update.

Okay we need updates to be more secure but when you start it by yourself you know what is happening.

Hue can be set on manual.

I dont worry because I cant reach my HUE when I am not at home, smile.

//Sjakie