A new vulnerability has been discovered in the Philips Hue smart lighting system that could let hackers gain access to the local host network and other devices connected to it.


Discovered by Check Point Research and demonstrated in a video, the flaw relates to the Zigbee communication protocol used by Philips Hue bulbs and a number of other smart home devices, including Amazon's Ring, Samsung SmartThings, Ikea Tradfri, and Belkin's WeMo.

According to the security researchers, the vulnerability could allow a local attacker to take control of Hue light bulbs using a malicious over-the-air update and cause the bulbs to exhibit random behavior and become uncontrollable. If the user then deletes the bulb and re-adds it in the Hue app, the attacker is able to gain access to the Hue bridge.

The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.

Every Philips Hue Hub connected to the internet should have automatically updated itself to version 1935144040, which patches this specific vulnerability. Users can check themselves by looking to see if any updates are available for the Hue app.

The flaw actually relies on a vulnerability that was originally discovered in 2016 and which can't be patched, as it would require a hardware update to the smart bulbs.

"Many of us are aware that IoT devices can pose a security risk," said Yaniv Balmas, Head of Cyber Research at Check Point Research. "But this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."

Top Rated Comments

Suckfest 9001 Avatar
17 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Yeah instead of fixing the issues and continuing to enjoy smart devices, let's go back to the stone age, I agree. Hang on, I'll get the candles lit and then we'll go out hunting
Score: 9 Votes (Like | Disagree)
4jasontv Avatar
17 months ago

So what a hacker is going to change the color of my lights :oops:
They get access to the machines on the same network.
Score: 3 Votes (Like | Disagree)
Mike MA Avatar
17 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Or just doing an update like you do on your smart watch, phone, laptop, TV or tablet? Or did you abandon those as well after their first security flaw?
Score: 3 Votes (Like | Disagree)
BMcCoy Avatar
17 months ago
Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
Score: 3 Votes (Like | Disagree)
Rigby Avatar
17 months ago

Are you sure about that? I have separate 2.4 and 5 GHz networks, and some of my devices are on the 2.4 and some on the 5, but they all still communicate with each other. Would it be the same with a VLAN?
No. In your case both Wifi bands are connected to the same IP subnet, so they are not isolated at all. When using VLANs with Wifi, you'd typically use multiple Wifi SSIDs and connect them to different VLANs.
Or is the entire idea that you can’t communicate across that barrier?
Yes, that's the point. Once you have set up separate VLANs (which are used to create separate IP subnets), you can control the traffic flow between them by setting up routing and firewall rules between them with an appropriate router. It does require some networking knowledge.
Score: 3 Votes (Like | Disagree)
imola.zhp Avatar
17 months ago

So what a hacker is going to change the color of my lights :oops:

How far is too far with connected devices, lightbulbs, door locks, doorbells, refrigerators, toasters. Do we really need all that much connectivity?

They get access to the machines on the same network.

Even more reason not to have such a ludicrously high level of connected devices. ;)

Given this is down to a Zigbee vulnerability there are non IoT ramifications. Many alarm systems use Zigbee for their sensors to talk to the control unit. Using the same underlying vulnerability could you trick a sensor into saying everything is fine when it isn’t?
Did any of you read the article? To gain access to the ENTIRE network the device must first be compromised and unresponsive, then you must take action to remove that device and re-add it to your zigbee hub. Only at that point, as I understand it, your network becomes infected.

So if you have a zigbee device that goes unresponsive, be very weary of it. We've been running zigbee devices for too many years to count and I haven't had one go unresponsive yet (knocks on wood). So thank you MR for this tip that if one ever does go unresponsive it needs to be dealt with accordingly.


Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
I keep seeing this suggestion but I can only picture how frustrating this would be in reality.

Lets put the Hue Hub on a secondary network.
Start with HomePod. Tell one of our HomePods to turn on or off a Hue device, but now it cant because the Hue Hub is on our secondary network. Hmm...
Ok so lets put the HomePods on that secondary network. But if the HomePods are on the secondary network I cant stream audio from my phone or ipad to the HomePod because those devices are on the primary network. I also cannot stream audio from apple TV to homepods.
Ok so lets put the apple TV's on that secondary network. But if apple TV's are on the secondary network then I cant stream movies and TV shows to the apple TV's from my mac Mini that acts like a pseudo-server.
Ok so lets put the mac mini to that secondary network. But now all we have left on the primary are phones, ipads and a rarely used macbook pro that is usually asleep. We still cannot stream anything from those devices to the HomePods or Apple TV's but hey, we're more secure, right? If we move phones and ipads to the secondary network all we have left on the primary is that rarely used 2010 MacBook Pro that is usually asleep; but again, more secure!
Or you have some crazy combo here and your constantly switching from primary network to secondary network wasting so much time to avoid a very small chance you'll ever be hacked.
Score: 3 Votes (Like | Disagree)

Top Stories

General Music and AirPod 3 Feature

Rumor: Apple to Announce Third-Generation AirPods and HiFi Apple Music Tier on May 18

Thursday May 13, 2021 10:32 pm PDT by
A new rumor suggests that Apple will announce the third-generation AirPods and the recently rumored HiFi, or high-fidelity Apple Music tier, on Tuesday, May 18, via a press release on its website. The new rumor comes from Apple YouTuber Luke Miani who shared the alleged exclusive news with the AppleTrack website. According to the YouTuber, Apple plans to release the next-generation AirPods...
2021 mbp hdmi slot 3d

2021 MacBook Pro Leaks Confirm Returning MagSafe and Ports

Friday May 14, 2021 3:06 am PDT by
Apple's upcoming MacBook Pro models are expected to feature a number of major changes such as larger display options and powerful new Apple silicon chips. Among the more surprising updates to this year's MacBook Pro models is the return of three ports that have been missing from the machines for over five years. Expected to come in 14- and 16-inch sizes, the 2021 MacBook Pro models are...
apple park drone june 2018 2

Apple Fires Newly Hired Ex-Facebook Product Manager Following Revelations of Past Misogynistic Comments

Thursday May 13, 2021 12:10 am PDT by
Apple has fired Antonio García Martínez, an ex-Facebook product manager and author of the controversial book "Chaos Monkeys," following public and internal calls for removal and investigation due to past misogynistic statements, The Verge reports. Apple hired Martínez earlier this week to join its ads team, however, comments that Martínez made in the past sparked condemnation from users...
magic mouse space gray discontinued

Apple Discontinuing Space Gray Mac Accessories Now That iMac Pro is Dead

Friday May 14, 2021 11:52 am PDT by
Following the discontinuation of the iMac Pro, Apple also appears to be discontinuing Space Gray "Magic" accessories that it sold separately alongside the iMac Pro. The iMac Pro was the only Space Gray Mac, and Apple designed special matching accessories for it. The Space Gray Magic Mouse 2, Magic Keyboard, and Magic Trackpad all now say "While supplies last" in small wording at the bottom...
tile amazon sidewalk integration

Apple Says Tile Trackers Sold Poorly in Apple Stores

Friday May 14, 2021 4:53 am PDT by
Earlier last month, Spotify, Tile, and Match (owner of Tinder), testified at an app store antitrust hearing spearheaded by the U.S. Senate. During the hearing, Spotify called Apple's App Store "an abusive power grab," while Tile said Apple uses its platform to "unfairly limit competition for its products." Now, in response to their testimonies, Apple's vice president and chief compliance...
google photos

PSA: Google Photos Unlimited Storage Ends Next Month, Here's How to Export Your Pictures to iCloud

Thursday May 13, 2021 5:26 am PDT by
For as long as it's existed, Google Photos has offered free unlimited storage for uploading images at a reduced yet good enough quality for most users. From June 1, 2021, however, all photos and videos uploaded to Google accounts will count against users' cloud storage. If you've been relying on Google to back up your media library, it may be time to move that content elsewhere. This article...
fortnite apple logo 2

Judge in Epic vs. Apple Case Floats Potential Compromise

Wednesday May 12, 2021 3:54 pm PDT by
In the ongoing legal battle between Apple and Epic Games, the two companies are this week calling up their expert witnesses to argue their points before Judge Yvonne Gonzalez Rogers, who will make a decision in the case after a three week trial. Expert testimony is not as exciting as some of the leaked App Store documents that were highlighted last week, especially as much of what's being...
syng cell alpha

Longtime Apple Designer Christopher Stringer's Latest Project Is a High-Fidelity Speaker With AirPlay 2

Friday May 14, 2021 7:30 am PDT by
Christopher Stringer, a key member of Jony Ive's design team who spent 21 years at Apple before departing in 2017, is resurfacing today with his new venture Syng, which seeks to make an impact in the high-end audio market. Stringer, who contributed to many of the most iconic product designs in Apple's history, announced his plans roughly a year ago, and Syng is today introducing its flagship ...
Twitter Feature

Twitter's 'Blue' Subscription Service May Cost $2.99, Will Offer Undo Tweet Option

Saturday May 15, 2021 11:08 am PDT by
Twitter has been working on some kind of subscription service since last summer, and Jane Manchun Wong, who often digs into new features coming in apps, has shared details on just what Twitter is exploring. Twitter's subscription service could be called Twitter Blue, and at the current time, it's priced at $2.99 per month. There will be a "Collections" section that allows users to save and...
imac m1 blue isolated 16x9 500k

M1 iMac is Up to 56% Faster Than Prior-Generation High-End 21.5-Inch iMac

Wednesday May 12, 2021 10:03 am PDT by
Apple's M1 iMacs are set to start delivering to customers next week, and ahead of the official launch day, benchmarks for the machines have been showing up on Geekbench, likely from reviewers who are testing them. It will come as no surprise that M1 iMac benchmarks are right on par with benchmarks for the M1 MacBook Pro, MacBook Air, and Mac mini, coming in with an average single-core score...