Signify closes security vulnerability in Philips Hue Bridge 2.0

Spread the love

Signify has released a firmware update for the Bridge 2.0 of Philips Hue lighting. A research company outlines a scenario of how a network could be penetrated through the vulnerability.

Firmware version 1935144040 for the Philips Hue Bridge 2.0 was already provided last month without further explanation, but security company Check Point now reports that with the release at least one vulnerability has been fixed.

Check Point demonstrates with a proof-of-concept how the vulnerability can be exploited. An attacker can take control of a Hue lamp to trick the user into thinking that a reset is needed. After removing the lamp from the app and adding it again, the lamp with updated firmware allows the attacker to perform a heap-based buffer overflow attack via ZigBee protocol on the Philips Hue Bridge 2.0.

Thanks to the vulnerability, it is possible to install malware on the bridge with this attack. This could allow the attacker to further exploit any vulnerabilities within a network to gain access. Check Point mentions as an example, already patched, EternalBlue leak in Windows.

Check Point reported its findings to Signify in November last year. The vulnerability has been given the identifier CVE-2020-6007.

You might also like
Exit mobile version