The Internet of Things is full of insecure and somewhat dubious gadgets, but Philips Hue has generally had a decent reputation—a big reason why it’s one of the more popular brands in the space. However, researchers from Check Point Software have found that an already-known vulnerability with Hue lightbulbs could still be exploited to take control over your home or corporate network.
While that sounds scary, the good news is there’s already a firmware patch. Check Point disclosed the vulnerability to Philips and Signify (which owns the Hue brand) back in November. A patch was made available as an automatic update in mid-January. If you enable automatic updates, you should be set. Even so, it’s a good idea to check that you’re running firmware 1935144040. (Womp, my own Hue Bridge, had not received the update and I will be fixing that posthaste.)
The exploit makes use of the ZigBee low-power wireless protocol. It’s not a particularly new flaw either. In 2017, researchers found they could hijack Hue lightbulbs connected to a network, install malicious firmware, and then spread that to other lightbulbs in a chain reaction. This technique was also used in 2016 when a flying drone hacked a room full of Hue bulbs. This bulb-to-bulb vulnerability is also what Check Point’s researchers used to seize control over the Hue Bridge and then ultimately, the network it was attached to.
Check Point illustrates how the vulnerability can be exploited in a demo video. It’s a bit of a long con, but the way it works is this: Once a bad actor uploads some nasty firmware onto the bulb, they can then switch the bulb’s brightness or color. An unsuspecting user might then be tricked into thinking their bulb is malfunctioning, but when they check the Hue app, the bulb will appear as ‘Unreachable.’ At that point, the user will then do as many smart bulb owners do—uninstall and reinstall the bulb.
However, once that happens, the infected bulb is then connected to the bridge. Using the ZigBee protocol vulnerability, Check Point says a hacker can then “trigger a heap-based buffer overflow” by sending the controlling bridge a large amount of data. That in turn, will let them install malware onto the bridge itself—and if you’ve ever used a smart lighting bridge, then you know it’s directly plugged into your home network.
In a statement accompanying the research report, George Yianni, Head of Technology Philips Hue, said that the company is “thankful for [the] responsible disclosure and collaboration from Checkpoint, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk.”
While Check Point focused on the Philips Hue products, ZigBee itself is a popular protocol used by a number of recognizable smart home platforms. That includes Samsung SmartThings, Amazon Alexa, Belkin WeMo, Yale smart locks, Honeywell thermostats, and Ikea’s Tradfri lights. It’s not clear whether other devices using ZigBee are vulnerable, but it’s probably a good idea to get in the habit of regularly updating any smart home devices to the latest firmware. Or, better yet, keeping IoT devices on a separate network from other devices.