Unpatched Philips Hue smart bulbs lets hackers attack your network

New research from Check Point shows how business and home networks can be hacked from a lightbulb, an unpatched Philips Hue smart bulb, to be precise.

Check Point:

Philips Hue smart bulb hackEveryone is familiar with the concept of IoT, the Internet of Things, but how many of you have heard of smart lightbulbs? By using a mobile app, or your digital home assistant, you can control the light in your house and even calibrate the color of each lightbulb! These smart lightbulbs are managed over the air using the familiar WiFi protocol or ZigBee, a low bandwidth radio protocol.

Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and attack even more appealing targets, such as the computer network in our homes, offices or even our smart city?

And the answer is: Yes… Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.

With the help of the Check Point Institute for Information Security (CPIIS) in Tel Aviv University, the researchers were able to take control of a Hue lightbulb on a target network and install malicious firmware on it. From that point, they used the lightbulb as a platform to take over the bulbs’ control bridge, and attacked the target network

MacDailyNews Take: This Philips Hue smart bulb hack is why Amazon, Apple, Google, Zigbee Alliance have joined forces to develop a a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet.

Check Point’s research was disclosed to Philips and Signify (owner of the Philips Hue brand) in November 2019. Signify issued firmware patch (Firmware 1935144040) which is now available on their site here. Philips Hue smart bulb users should make sure their firmware is up-to-date.

6 Comments

  1. A few points.

    First, Philips Hue bulbs are by far the best overall smart light bulbs in the business, with significantly more experience than some of the latest IoT gadget makers. Approval ratings speak for themselves.

    MDN has it backwards. Philips Lighting division had been set up as an independent company from Royal Philips in 2016, as the parent company continues to focus more of its attention on industrial and medical products. Philips Lighting merely changed its name in 2018 to Signify. Signify will continue to use Philips branding for the some time in the future. https://www.philips.com/a-w/about/news/archive/standard/news/articles/2018/20180516-philips-lighting-is-now-signify.html

    Philips Hue bulbs already DO use the Zigbee communication protocols. Zigbee wasn’t set up with the primary purpose of ultimate security, but rather to standardize IoT communications as all the big players realized that elevating competing walled gardens would prevent any headway toward their Smart Home gadgets sales goals.

    Phillips Hue bulbs use a base module and WiFi, which the user can secure much more effectively than any bluetooth protocol.

    Philips Hue bulbs allow the user to turn off remote access to the base module for even more security.

    Finally, adding a few smart light bulbs to a home can be very convenient, and compared to other IoT things they are far less pernicious. Unsecured cameras, microphones, thermostats, etc when hacked can give orders of magnitude worse security nightmares. Based on most internet reports, there isn’t a single nursery monitor that hasn’t been hacked by sick bastards.

    All that being said, nothing beats hard-wired electronics with minimal exposure to the open net, and nothing ever will. Wireless communications of all kinds are always the easiest targets for attacks.

    1. Hue bulbs are great value, but Lifx’s more expensive standard (not mini) bulbs have greater range in that they’re brighter than Hue and darker too (better for sunrise simulation; Hue’s darkest is still too bright).

      We have a mix of both Lifx and Hue, happy with them both.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.