Hacked by a Hue lightbulb? It sounds silly, but security researchers at Check Point Software recently demonstrated that unpatched Philips Hue smart lights be used as an attack vector into your network if someone takes advantage of an exploit in the ZigBee protocol that the bulbs use to communicate with their bridge.
That’s a mouthful, I realize. The hack is a lot more interesting to see in action—er, read about. Once an attacker has managed to upload modified firmware to a compromised older bulb, Check Point describes the rest of the fun:
- The hacker controls the bulb’s color or brightness to trick users into thinking the bulb has a glitch. The bulb appears as ‘Unreachable’ in the user’s control app, so they will try to ‘reset’ it.
- The only way to reset the bulb is to delete it from the app, and then instruct the control bridge to re-discover the bulb.
- The bridge discovers the compromised bulb, and the user adds it back onto their network.
- The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
- The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.
Philips updated your Hue Hub with a patch to fix this particular vulnerability in mid-January, but it’s worth giving it a quick look to make sure it’s running the latest firmware. To do that:
- Open your Hue app on Android or iOS
- Tap on “Settings”
- Scroll down a bit and tap on “Software update”
- Wait longer than you should have to
- Look for your “Philips hue” hub and make sure it’s running “1935144040,” at minimum—the 1/24/20 update, if I’m correct.
If it isn’t, and there aren’t any updates available for your device, hang tight. You should (hopefully?) receive it soon. In the meantime, I recommend making sure you’re using the “Automatic update” feature within the Hue app so you don’t have to check for updates yourself ever again.
If you happen to own any other smart-home devices, give them a look, too; if they use ZigBee to communicate, you’ll want to stay on top of their updates (or tell them to update automatically) so any future vulnerabilities don’t catch you, or your home, by surprise.
And if your lights start flickering all spooky-ghost style, resist the urge to factory-reset your setup. Consider switching to a regular light bulb, and isolating the Hue Hub on a VLAN or something while you troubleshoot—which might involve a call to customer support, as I honestly have no idea how to overwrite a hacked bulb with correct, updated firmware…if it’s even possible. As The Verge notes:
“…it appears that once again, the bulbs themselves may still be vulnerable to hacks. When that flying drone set off a miniature IoT virus in 2016, companies found a way to solve for that worst-case scenario by restricting those bulb-to-bulb hops, writes Check Point. But “due to design limitations”, the bulb’s vulnerability remained, leading to the new hack — and perhaps other yet-to-be-discovered hacks in our future, as long as these bulbs remain in service. Leaving these bulbs vulnerable might be more dangerous than simply letting a hacker flick on and off your lights at will.”