Embedded Files
Test Cases
Test Cases
Static Analyzer Results
Static Analyzer Results
(1) AST of method: hash(java.lang.String) class: com.philips.lighting.hue.sdk.wrapper.domain.BridgeIdHasher
Unique Nodes with their domain types.
Node(Input Param): s Domain Type: original_textNode: sb.toString() Domain Type: original_textNode: final byte[] bytes = s.getBytes(a) Domain Type: original_textNode: s.getBytes(a) Domain Type: original_textNode: bytes Domain Type: original_textNode: final byte[] digest = MessageDigest.getInstance("SHA-256").digest(bytes) Domain Type: hashNode: MessageDigest.getInstance("SHA-256").digest(bytes) Domain Type: hashNode: digest Domain Type: hashNode: MessageDigest.getInstance("SHA-256") Domain Type: hashNode: String.format("%02x", Arrays.copyOf(array, array.length)) Domain Type: original_textNode: sb2.toString() Domain Type: original_textNode: s.substring(0, 32) Domain Type: original_text
hash(java.lang.String)_1.txt.gv.pdf(2) AST of method: getHashedBridgeIdentifier(Bridge) class: com.philips.lighting.hue.sdk.wrapper.device.bridge.BridgeKt
Unique Nodes with their domain types.
Node: final String identifier = bridge.getIdentifier() Domain Type: original_textNode: bridge.getIdentifier() Domain Type: original_textNode: identifier Domain Type: original_text
getHashedBridgeIdentifier(Bridge)_4.txt.gv.pdfSpecification
Specification
The extracted specification of the Chromecast system as a list of Protocol Information (PIL)
PIL1 = ['1','SD, ZFE, zigbee', 'msg=(BeaconRequest)', 'ACSeq=<(SD,send,{msg}),(ZFE,receive, {msg})>', 'ch=zigbee', 'rLC=-', 'BR={1,4}']PIL2 = ['2', 'ZFE, SD, zigbee', 'msg=(PanID,HubID,AssoPermit)', 'ACSeq =<(ZFE,send,{msg}),(SD,receive, {msg})>', 'ch=zigbee', 'rLC=-', 'BR={2}']PIL3 = ['3', 'SD,ZFE,zigbee', 'msg=(PanID,DeviceID)', 'ACSeq =<(SD,send,{msg}),(ZFE,receive, {msg})>', 'ch=zigbee', 'rLC=-', 'BR={12}']#12PIL4 = ['4','ZFE,SD,zigbee','msg=(BeaconRequest)', 'ACSeq=<(ZFE,send,{msg}), (SD,receive, {msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL5 = ['5', 'SD,ZFE,zigbee', 'msg=(PanID,DeviceID,AssoPermit)', 'ACSeq=<(SD,send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={19}']#19PIL6 = ['6', 'CP,HS,wifi', 'msg=(UPnPMsearchRequest)', 'ACSeq=<(CP,send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={6}' ]PIL7 = ['7','HS,CP,wifi','msg=(CPIP,ServName,HubIP,HubID)', 'ACSeq=<(HS,send,{msg}),(CP,receive, {msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL8 = ['8', 'CP,HS,wifi', 'msg=(HubIP,x)', 'ACSeq=<(CP,newnonce,{x}),(CP,send,{msg}),(HS,receive, {msg})>','ch=wifi', 'rLC=-', 'BR={-}']PIL9 = ['9', 'HS,CP,wifi', 'msg=(CPIP, hash(x))', 'ACSeq =<(HS,executeCommand,{LinkBTrue}),(HS,send,{msg}),(HS,executeCommand,{LinkBFalse}),(CP,receive,{msg})>' , 'ch=wifi', 'rLC=-', 'BR={10,17,24,26}']PIL10 = ['10', 'CP,HS,wifi', 'msg=(HubIP,hash(x),SearchLightRequest)', 'ACSeq =<(CP,send,{msg}), (HS,receive,{msg})>', 'ch=wifi','rLC={ZFE}', 'BR={-}']PIL11 = ['11','HS,CP,wifi', 'msg=(CPIP,RequestSuccess)', 'ACSeq =<(HS, send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={10}']PIL12 = ['12', 'ZFE,SD,zigbee', 'msg=(ScanRequest, PanID)', 'ACSeq =<(ZFE,send,{msg}),(SD,receive,{msg})>','ch=zigbee', 'rLC=-', 'R={-}']PIL13 = ['13', 'SD,ZFE,zigbee', 'msg=(HubID,PanID,ScanResponse)', 'ACSeq =<(SD, send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL14 = ['14', 'ZFE,SD,zigbee', 'msg=(DeviceID,IdentifyRequest)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg}),(SD,executeCommand,{IdentifyRequest})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL15 = ['15', 'ZFE,SD,zigbee', 'msg=(DeviceID,PanID,NetworkJoinRequest)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL16 = ['16', 'SD,ZFE,zigbee', 'msg=(HubID,PanID,NetworkJoinResponse)', 'ACSeq =<(SD,send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={36}']PIL17 = ['17', 'CP,HS,wifi', 'msg=(HubIP,hash(x),JoinNearestDeviceRequest)', 'ACSeq =<(CP, send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC={ZFE}', 'BR={19}']PIL18 = ['18', 'HS,CP,wifi', 'msg=(CPIP,Success)', 'ACSeq =<(HS,send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={17}']PIL19 = ['19', 'ZFE,SD,zigbee', 'msg=(LinkScanRequest,PanID)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL20 = ['20', 'SD, ZFE,zigbee', 'msg=(HubID,PandID,LinkScanReqeust)', 'ACSeq =<(SD, send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL21 = ['21', 'ZFE, SD,zigbee', 'msg=(DeviceID,LinkIdentifyRequest)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg}),(SD,executeCommand,{LinkIdentifyRequest})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL22 = ['22', 'ZFE, SD,zigbee', 'msg=(DeviceID,PanID,LinkNetworkJoinRequest)', 'ACSeq =<(ZFE,send,{msg}),(SD,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL23 = ['23', 'SD, ZFE,zigbee', 'msg=(HubID,PandID,LinkNetworkJoinResponse)', 'ACSeq =<(SD, send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC=-', 'BR={39}']PIL24 = ['24', 'CP,HS,wifi', 'msg=(HubIP,hash(x),RequestLightResult)', 'ACSeq =<(CP, send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL25 = ['25', 'HS, CP,wifi', 'msg=(CPIP,LightNo,LightName)', 'ACSeq =<(HS,send, {msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={24,34']PIL26 = ['26', 'CP, HS,wifi', 'msg=(HubIP,hash(x),GetInfoRequest)', 'ACSeq =<(CP, send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL27 = ['27', 'HS, CP,wifi', 'msg=(CPIP,Configs,Lights,Whitelist)', 'ACSeq =<(HS, send,{msg}),(CP,receive,{msg}))>', 'ch=wifi', 'rLC=-', 'BR={26,28,30,32}']PIL28 = ['28', 'CP, HS,wifi', 'msg=(HubIP,hash(x),DeleteLightRequest)', 'ACSeq =<(CP,send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL29 = ['29', 'HS, CP,wifi', 'msg=(CPIP,AdminSuccess)', 'ACSeq =<(HS,send,{msg}),(CP,receive, {msg}))>', 'ch=wifi', 'rLC=-', 'BR={28}']PIL30 = ['30', 'CP, HS,wifi', 'msg=(HubIP,hash(x),DeleteUserIDRequest)', 'ACSeq =<(CP,send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL31 = ['31', 'HS, CP,wifi', 'msg=(CPIP,AdminSuccess)', 'ACSeq =<(HS,send,{msg}),(CP,receive, {msg}))>', 'ch=wifi', 'rLC=-', 'BR={30}']PIL32 = ['32', 'CP, HS,wifi', 'msg=(HubIP,hash(x),LinkButtonTrue)', 'ACSeq =<(CP,send,{msg}),(HS,receive,{msg}),(HS,executeCommand,{LinkButtonTrue})>', 'ch=wifi', 'rLC=-', 'BR={-}']PIL33 = ['33', 'HS, CP,wifi', 'msg=(CPIP,AdminSuccess)', 'ACSeq =<(HS,send,{msg}),(CP,receive, {msg}))>', 'ch=wifi', 'rLC=-', 'BR={32}']PIL34 = ['34', 'CP, HS,wifi', 'msg=(HubIP,hash(x),Controlcmd)', 'ACSeq =<(CP,send,{msg}),(HS,receive,{msg})>', 'ch=wifi', 'rLC={ZFE}', 'BR={-}']PIL35 = ['35','HS,CP,wifi', 'msg=(CPIP,RequestSuccess)', 'ACSeq =<(HS, send,{msg}),(CP,receive,{msg})>', 'ch=wifi', 'rLC=-', 'BR={34,38,41}']PIL36 = ['36', 'ZFE,SD,zigbee', 'msg=(DeviceID,PanID,EncryptedControlcmd)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg}),(SD,executeCommand,{EncryptedControlcmd})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL37 = ['37', 'SD,ZFE,zigbee', 'msg=(HubID,ACK)', 'ACSeq =<(SD,send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC={HS}', 'BR={36}']PIL38 = ['38', 'HS, CP,wifi', 'msg=(CPIP,ControlcmdSuccess)', 'ACSeq =<(HS,send,{msg}),(CP,receive, {msg}))>', 'ch=wifi', 'rLC=-', 'BR={34}']PIL39 = ['39', 'ZFE,SD,zigbee', 'msg=(DeviceID,PanID,EncryptedControlcmd)', 'ACSeq =<(ZFE, send,{msg}),(SD,receive,{msg}),(SD,executeCommand,{EncryptedControlcmd})>', 'ch=zigbee', 'rLC=-', 'BR={-}']PIL40 = ['40', 'SD,ZFE,zigbee', 'msg=(HubID,ACK)', 'ACSeq =<(SD,send,{msg}),(ZFE,receive,{msg})>', 'ch=zigbee', 'rLC={HS}', 'BR={39}']PIL41 = ['41', 'HS, CP,wifi', 'msg=(CPIP,ControlcmdSuccess)', 'ACSeq =<(HS,send,{msg}),(CP,receive, {msg}))>', 'ch=wifi', 'rLC=-', 'BR={34}']Generated LTSs
Generated LTSs
The Local LTS of the Philips Hue CP, HS, ZFE, and SD generated by HomeScan.
Philips Hue CP
Philips Hue CP
Gen_PhilipsHue_CP.pdfPhilips Hue HS
Philips Hue HS
Gen_PhilipsHue_HS.pdfPhilips Hue ZFE
Philips Hue ZFE
Gen_PhilipsHue_ZFE.pdfPhilips Hue SD
Philips Hue SD
Gen_PhilipsHue_SD.pdfAttacker Models
Attacker Models
Model, Attacker and Security Properties
PhilipsHue.cspFindings
Findings
Philips Hue System Attack Demo Videos
Philips Hue System Attack Demo Videos
In the Philips Hue system, the authentication between the CP and the HS relies on the user to press the button on the hub. However, after the pressing, this protocol does not guarantee that the HS only responds to the benign CP. Consequently, a malicious CP which knows the HubIP of the HS can send a valid authentication request (e.g., an HTTP/POST request with a nonce as the request parameter and HubIP as the destination) to obtain a token (e.g., hash(nonce)) from the HS. In this way, the malicious CP gets authenticated by the benign HS. To conduct this attack in reality, the malicious CP can continuously send authentication requests until the user presses the button on the hub. After being authenticated, the malicious CP becomes capable of sending control commands, such as turning on/off and changing color, to the HS to control the SD.
Sending LinkButtonTrue command.
– Uncontrolled CP Authentication. Due to the lack of restriction on administrative commands, an authenticated malicious CP can force a benign HS to remain “linkbutton”in the true state by sending the LinkButtonTrue command.This causes the victim HS to authenticate any other malicious CPs in the LAN upon authentication requests, without the button clicking on the hub.
The Philips Hue system does not enforce any restriction on invoking the administrative commands. Hence, any CP authenticated by the HS can re-configure the system by sending administration commands including adding/removing SDs (SearchLight/DeleteLightRequest) and deleting whitelisted CPs (DeleteUserIDRequest). This security issue may result in the following consequences.
– Denial-of-Service against the HS. The malicious CP can delete all other authentication tokens stored in the whitelist at the benign HS by continuously sending DeleteUserIDRequest. Hence, the benign CP is unable to be authenticated by the benign HS.
– Denial-of-Service against the SD. The malicious CP can delete SDs which have been connected to the hub by sending DeleteLightRequest. If this command is sent continuously, the SD will not be able to have a stable connection with ZFE. Consequently, these attacks show that a common assumption of smart home systems, i.e., trust on home Wi-Fi can result in serious consequences if it is invalidated. Nevertheless, attackers can deceive the benign users into installing malicious applications on the CP to exploit the vulnerabilities behind the home Wi-Fi and launch these attacks.
We have found that the SD of the Philips Hue system responds to beaconrequests from ZigBee enabled devices, even after it has joined a ZigBee network. This reveals its identity (DeviceID). In addition, the touchlink commissioning of ZigBee Light Link Protocol (ZLL) used by Philips Hue can reset the existing configuration on a benign SD and establish a new connection with the initiator. As a consequence, the malicious ZFE with the similar configuration as the benign ZFE (e.g., another Philips Hue hub) can first discover the benign SDs in the neighborhood, and then trigger the touchlink commissioning to reset and connect to the discovered benign SDs. In this way, the benign SDs are hijacked by the malicious hub.
Google Sites
Report abuse