Vulnerabilities in the Internet of Things (IoT) would enable a hacker to deliver ransomware or other malware to business and home networks by taking over smart lightbulbs and their controller.
The potential threat has been revealed by Check Point Research, the Threat Intelligence arm of Check Point Software Technologies, a global provider of cyber security solutions.
Check Point’s researchers showed how a threat actor could exploit an IoT network, using smart lightbulbs and their control bridge, to launch attacks on conventional computer networks in homes, businesses or even smart cities. Researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.
In an analysis of the security of ZigBee-controlled smart lightbulbs that was published in 2017, researchers were able to take control of a Hue lightbulb on a network, install malicious firmware on it and propagate to other adjacent lightbulb networks. Using this remaining vulnerability, our researchers decided to take this prior work one step further and used the Hue lightbulb as a platform to take over the bulbs’ control bridge and ultimately, attacking the target’s computer network. It should be noted that more recent hardware generations of Hue lightbulbs do not have the exploited vulnerability.
The attack scenario is as follows:
- The hacker controls the bulb’s colour or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
- The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
- The bridge discovers the compromised bulb, and the user adds it back onto their network.
- The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
- The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, Head of Cyber Research, Check Point Research. “It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”
The research, which was done with the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify confirmed the existence of the vulnerability in their product, and issued a patched firmware version (Firmware 1935144040) which is now via an automatic update. We recommend users to make sure that their product received the automatic update of this firmware version.
“We are committed to protecting our users’ privacy and do everything to make our products safe,” says George Yianni, Head of Technology Philips Hue. “We are thankful for responsible disclosure and collaboration from Checkpoint, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”
Here is a demo video of how the attack works. The full technical research details will be published at a later date in order to give users time to successfully patch their vulnerable devices.
Check Point is the first vendor to provide a consolidated security solution that hardens and protects the firmware of IoT devices. Utilising a recently acquired technology, Check Point allows an organisation to mitigate device level attacks before devices are compromised utilising on-device run time protection.
TikTok takes on COVID-19
The fastest growing social media platform in the world has also become an epicenter of public education about the coronavirus, attracting more than 30-billion views, writes ARTHUR GOLDSTUCK
The young have been getting a bad rap for wanting to party on while COVID-19 sends the world into lockdown. But a different movie is playing itself out on the social platform that is growing fastest among teenagers: TikTok.
Awareness campaigns by TikTok itself, collaboration with the International Red Cross, and spontaneous videos made by TikTok creators have combined into a barrage of information, education, awareness and social consciousness around the coronavirus.
Both globally and in South Africa, TikTok’s COVID-19 campaigns have gone viral.
The local #HayiCorona challenge, designed to remind people not to touch their face and wash hands regularly, has passed 1.5-million views. The TikTok collaboration with the International Red Cross, the #WashingHands challenge, has passed 12.6-million views.
One of the best-known participants in these challenges is the past year’s icon of South African talent, the Ndlovu Youth Choir, took up the global challenge with a 20-second hand-washing video. It put together a performance that brings tremendous energy to what can be a clichéd message, and ends with a punt for the Department of Health’s WhatsApp information service. The video can be viewed below.
“On a global scale, TikTok also partnered with the World Health Organization (WHO) to ensure that, while creators are still having fun and expressing themselves on the platform, they stay informed with COVID-19 information coming from a reliable source,” a TikTok spokesperson told us. “Through the partnership, the WHO has created an informational page on TikTok that offers information to curb the spread of the coronavirus as well as dispelling myths.”
The page can be viewed at https://vm.tiktok.com/GHTEGf
TikTok has hosted a number of livestreams with WHO experts, attracting users from more than 70 countries, tuning in for live question and answer sessions. It has also introduced labels on coronavirus-related videos, to point users to trusted information. Resources are also offered directly in the app and in a dedicated COVID-19 section of TikTok’s Safety Center, at https://www.tiktok.com/safety/resources/covid-19.
If users simply want to explore videos on the topic, they can search via the #coronavirus hashtag, or click on https://vm.tiktok.com/swKbn4. The hashtag has had an astonishing 33.8-billion views, indicating the scale of activity and interest around the topic on the platform.
Read more on the next page about how South Africans have embraced the campaign.
On World Backup Day: backup, backup, backup
It was World Backup Day yesterday, 31 March, at a time when business continuity is threatened as never before. That makes calls for protecting email and defending against ransomware all the more urgent.
The global coronavirus pandemic has brought into stark relief many organisations’ lack of business continuity plans and policies. With more than two billion people around the globe in forced lockdown in wide-ranging government efforts to stem the tide of infections, an unprecedented number of employees are working remotely.
This interruption to the normal way of work is precisely what an effective and resilient business continuity strategy should plan for, says Heino Gevers, cybersecurity specialist at Mimecast.
“Companies need uninterrupted access to critical business applications during times of disruption, including safe and secure web and email access for workers that are now operating outside the normal perimeters of the organisation,” he says. “In addition, comprehensive backup and archiving solutions should be ready to restore access to critical business applications should there be any unplanned downtime to ensure continuity until the crisis passes.”
According to Gevers, the current global crisis is likely to push business continuity up the list of priorities for many organisations that have been disrupted by the effects of the coronavirus.
“Organisations are facing new challenges to their productivity; for example in terms of technical support. If a remote user is infected with malware or ransomware, how does the IT team restore that device or do any remediation without being able to physically access it?”
Gevers advises that organisations implement tools that enhances the data protection capabilities of commonly-used tools such as Office365 and can leverage archived data to provide quick recovery of email data in the event of accidental loss, malicious attacks or technical failure.
“As adoption of cloud-based business applications grow in the wake of forced lockdowns around the globe, companies need to ensure they have the tools to recover in any situation,” he says. “This includes a data management strategy that combines archiving, backup and data protection capabilities to allow for quick restoration of critical systems and applications in the event of disruption.”
Jasmit Sagoo, head of technology at Veritas for the United Kingdom and Ireland, warns that this is a golden age for cybercriminals looking for ransomware opportunities.
“As the global cost of ransomware continues to grow, this World Backup Day,
Veritas is saying: ‘don’t pay up, back up!’,” he says. “Ransomware is
said to generate an estimated annual revenue of $1 billion a year, and
companies who are not consistent in backing up their data are allowing
criminals to line their pockets.
“Ransomware attacks exist only because some businesses can’t survive unless the hackers give them back their data. So, the key to survival is removing that reliance and being able to regain access to data, without engaging with the cybercriminals. The best way to do that is with a sound backup strategy.
“Sagoo advises organisations to create isolated, offline backup copies of their data to keep it out of reach of any attackers. They then need to proactively monitor and restrict backup credentials, while running backups frequently to shrink the risk of potential data loss. Businesses should also test and retest their ransomware defences regularly.
“Ransomware strikes without warning and it doesn’t discriminate between its targets – it can happen to any organisation, large or small. Despite their best efforts, most companies will fall to at least one attack. What distinguishes one victim from another is the ability to bounce back, which ultimately depends on its backup strategy.
“When ransomware hits, organisations that aren’t prepared often feel helpless to do anything other than to submit to their attacker’s demands. That’s why we’re urging all businesses to use World Backup Day as a catalyst to get ahead of the situation and get their data protected.”