Search This Blog

Showing posts with label Smart Devices. Show all posts

Computers can be hacked through a "smart" light bulb


Smart light bulbs can not only make the lighting in an apartment and house more convenient and cheaper but also threaten the safety of their owners.

Experts have proven that hackers can hack computers through smart light bulbs. The vulnerability in the smart home system was noticed by cybersecurity company Check Point.

Experts have discovered a way to hack computers through a lamp using a Philips smart home system. At the first stage, the virus program is downloaded to the victim's smartphone and causes the lighting to fail. Experts have noticed that the only way to fix the problem is to reinstall the app, so the user deletes the program and re-downloads it to their phone.

At the stage when the owner of the lamp connects it to the smart home system, attackers take advantage of the vulnerability in the ZigBee protocol, which Philips uses. At the moment of pairing between the lamp and the smart hub, the malicious algorithm causes an overflow of the system buffer, which bypasses the antivirus and is installed on the computer's disk. After that, the device goes under the remote control of hackers.

Check Point experts said that the study has already attracted the attention of the manufacturer of smart lamps and eliminated the gap in the system. Experts advised owners of the Philips smart home system to update their software.

Experts have found vulnerabilities in Philips smart bulbs (at the moment, the problem with these devices has already been solved), but it is possible that similar vulnerabilities are found in many other smart home devices.

Earlier EHackingNews reported that in the fall of 2019, an IT specialist from Russia and blogger Anna Prosvetova discovered a vulnerability in Xiaomi Furrytail Pet Smart Feeder. Since feeders are used when the owners leave the house for a long time, pets may starve to death. The vulnerability was discovered in the application API through which feeders are controlled.

Milwaukee Couple's Nest Smart Home Hacked, Vulgar Music was Played


Smart home products designed by Nest such as smart cameras, smart displays, smart thermostats, and smart doorbells to make our lives more comfortable and safe, may not be all that safe according to a horrifying incident reported by a Milwaukee, Wisconsin based couple, Samantha and Lamont Westmoreland.

 After a hacker hacked into the couple’s home and took control of their gadgets, Samantha said, "It's (installation of gadgets) supposed to make me feel safe, and I didn't feel safe", "My heart was racing, I felt so violated at that point."

As per a report by Fox 6 News, on September 17th, Samantha returned home in which she has Nest camera, a doorbell and a thermostat installed, and found the atmosphere unreasonably warmer, she immediately noticed that her smart thermostat has risen up to 32 degrees Celsius (90 degrees Fahrenheit).

Initially, she assumed it to be a glitch and set it back to the room temperature, but it kept on going up after every time she turned it down. A while later, the couple heard a voice talking to them from their Nest camera and afterward it played vulgar music. Samantha went ahead, unplugged the camera and turned it to face the ceiling. They changed the passwords of all the three devices but as the issues persisted, they resorted to contacting their internet service provider to have their network and Ids reset.

The couple was of the opinion that their Wi-Fi network and Nest camera was hacked, putting the actual problem into perspective, Lamont Westmoreland said, "If someone hacks into your Wi-Fi, they shouldn't be able to have access to those Nest devices without some sort of wall they have to get over,"

In a conversation with Fox 6 News, the couple revealed that the smart home accessories they had installed at their home since last year, cost them $700, and that they have never faced any problem before this; however, in the wake of this terrifying incident they had a change of mind regarding smart home devices.

Meanwhile, responding to the disturbing experience, a spokesperson of Google, told a media outlet, “Nest was not breached. These reports are based on customers using compromised passwords. In nearly all cases, two-factor verification eliminates this type of security risk,"

TP-Link's SR20 Smart Home Router Discovered To Come With a Vulnerability As Per Google Security Researcher




TP-Link's SR20 Smart Home Router is recently discovered to come with a vulnerability allowing arbitrary command execution from a local network connection as per a Google security researcher Matthew Garrett. The router, launched in 2016, uncovered various commands that come with root privileges and do not even require validation.

The endeavor was uncovered by the researcher after he was unable to request a reaction from TP-Link, and even published a proof-of-concept to exhibit the said weakness.

Garrett took to twitter to clarify that the TP Link SR20 Smart Home Router accompanying TDDP (TP- Device Debug Protocol), which is influenced with a few vulnerabilities, and one of them is that version 1 commands are 'exposed' for attackers to exploit.

He says that these uncovered directions enable aggressors to send an order containing a filename, a semicolon, to execute the procedure.

 “This connects back to the machine that sent the command and attempts to download a file via TFTP (Trivial File Transfer Protocol) corresponding to the filename it sent. The main TDDP process waits up to four seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialized earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test () is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since TDDP is running as root, you get arbitrary command execution as root,” he explains on his blog.

In spite of the fact that Garrett says he reported to TP-Link of this vulnerability in December, by means of its security disclosure form, the page disclosed to him that he would get a reaction within three days, however hasn't heard back from them till date. He additionally said that he tweeted at TP-Link with respect to the issue, yet that gathered no reaction either.