A new vulnerability has been discovered in the Philips Hue smart lighting system that could let hackers gain access to the local host network and other devices connected to it.


Discovered by Check Point Research and demonstrated in a video, the flaw relates to the Zigbee communication protocol used by Philips Hue bulbs and a number of other smart home devices, including Amazon's Ring, Samsung SmartThings, Ikea Tradfri, and Belkin's WeMo.

According to the security researchers, the vulnerability could allow a local attacker to take control of Hue light bulbs using a malicious over-the-air update and cause the bulbs to exhibit random behavior and become uncontrollable. If the user then deletes the bulb and re-adds it in the Hue app, the attacker is able to gain access to the Hue bridge.

The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.

Every Philips Hue Hub connected to the internet should have automatically updated itself to version 1935144040, which patches this specific vulnerability. Users can check themselves by looking to see if any updates are available for the Hue app.

The flaw actually relies on a vulnerability that was originally discovered in 2016 and which can't be patched, as it would require a hardware update to the smart bulbs.

"Many of us are aware that IoT devices can pose a security risk," said Yaniv Balmas, Head of Cyber Research at Check Point Research. "But this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."

Top Rated Comments

Suckfest 9001 Avatar
21 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Yeah instead of fixing the issues and continuing to enjoy smart devices, let's go back to the stone age, I agree. Hang on, I'll get the candles lit and then we'll go out hunting
Score: 9 Votes (Like | Disagree)
4jasontv Avatar
21 months ago

So what a hacker is going to change the color of my lights :oops:
They get access to the machines on the same network.
Score: 3 Votes (Like | Disagree)
Mike MA Avatar
21 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Or just doing an update like you do on your smart watch, phone, laptop, TV or tablet? Or did you abandon those as well after their first security flaw?
Score: 3 Votes (Like | Disagree)
BMcCoy Avatar
21 months ago
Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
Score: 3 Votes (Like | Disagree)
Rigby Avatar
21 months ago

Are you sure about that? I have separate 2.4 and 5 GHz networks, and some of my devices are on the 2.4 and some on the 5, but they all still communicate with each other. Would it be the same with a VLAN?
No. In your case both Wifi bands are connected to the same IP subnet, so they are not isolated at all. When using VLANs with Wifi, you'd typically use multiple Wifi SSIDs and connect them to different VLANs.
Or is the entire idea that you can’t communicate across that barrier?
Yes, that's the point. Once you have set up separate VLANs (which are used to create separate IP subnets), you can control the traffic flow between them by setting up routing and firewall rules between them with an appropriate router. It does require some networking knowledge.
Score: 3 Votes (Like | Disagree)
imola.zhp Avatar
21 months ago

So what a hacker is going to change the color of my lights :oops:

How far is too far with connected devices, lightbulbs, door locks, doorbells, refrigerators, toasters. Do we really need all that much connectivity?

They get access to the machines on the same network.

Even more reason not to have such a ludicrously high level of connected devices. ;)

Given this is down to a Zigbee vulnerability there are non IoT ramifications. Many alarm systems use Zigbee for their sensors to talk to the control unit. Using the same underlying vulnerability could you trick a sensor into saying everything is fine when it isn’t?
Did any of you read the article? To gain access to the ENTIRE network the device must first be compromised and unresponsive, then you must take action to remove that device and re-add it to your zigbee hub. Only at that point, as I understand it, your network becomes infected.

So if you have a zigbee device that goes unresponsive, be very weary of it. We've been running zigbee devices for too many years to count and I haven't had one go unresponsive yet (knocks on wood). So thank you MR for this tip that if one ever does go unresponsive it needs to be dealt with accordingly.


Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
I keep seeing this suggestion but I can only picture how frustrating this would be in reality.

Lets put the Hue Hub on a secondary network.
Start with HomePod. Tell one of our HomePods to turn on or off a Hue device, but now it cant because the Hue Hub is on our secondary network. Hmm...
Ok so lets put the HomePods on that secondary network. But if the HomePods are on the secondary network I cant stream audio from my phone or ipad to the HomePod because those devices are on the primary network. I also cannot stream audio from apple TV to homepods.
Ok so lets put the apple TV's on that secondary network. But if apple TV's are on the secondary network then I cant stream movies and TV shows to the apple TV's from my mac Mini that acts like a pseudo-server.
Ok so lets put the mac mini to that secondary network. But now all we have left on the primary are phones, ipads and a rarely used macbook pro that is usually asleep. We still cannot stream anything from those devices to the HomePods or Apple TV's but hey, we're more secure, right? If we move phones and ipads to the secondary network all we have left on the primary is that rarely used 2010 MacBook Pro that is usually asleep; but again, more secure!
Or you have some crazy combo here and your constantly switching from primary network to secondary network wasting so much time to avoid a very small chance you'll ever be hacked.
Score: 3 Votes (Like | Disagree)

Top Stories

iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived last October in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone 12...
iPhone 13 Dummy Thumbnail 2

Full iPhone 13 Feature Breakdown: Everything Rumors Say We Can Expect

Tuesday August 31, 2021 7:50 am PDT by
With the launch of Apple's iPhone 13 lineup believed to be just a few weeks away, we have compiled all of the coherent rumors from our coverage over the past year to build a full picture of the features and upgrades coming to the company's new smartphones. For clarity, only explicit improvements, upgrades, and new features compared to the iPhone 12 lineup are listed. It is worth noting that...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
macbook air deals

Deals: Amazon Drops Price of 256GB M1 MacBook Air to New Low of $849.99 ($149 Off)

Friday August 27, 2021 6:16 am PDT by
Amazon today introduced new low prices on the M1 MacBook Air for both 256GB and 512GB storage options. To start, you can get the 256GB model for $849.99, down from an original price of $999.00. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Only Silver and Gold are...
iCloud General Feature

iCloud+'s New Custom Email Domain Feature Now Available in Beta

Wednesday August 25, 2021 7:48 am PDT by
Starting with iOS 15, iPadOS 15, and macOS Monterey, users with a paid iCloud+ storage plan can personalize their iCloud email address with a custom domain name, such as johnny@appleseed.com, and the feature is now available in beta. iCloud+ subscribers interested in setting up a custom email domain can visit the beta.icloud.com website, select "Account Settings" under their name, and select ...
iPhone 13 Dummy Thumbnail 2

Kuo: iPhone 13 to Feature LEO Satellite Communications to Make Calls and Texts Without Cellular Coverage

Sunday August 29, 2021 7:39 am PDT by
The iPhone 13 will feature low earth orbit (LEO) satellite communication connectivity to allow users to make calls and send messages in areas without 4G or 5G coverage, according to the reliable analyst Ming-Chi Kuo. In a note to investors, seen by MacRumors, Kuo explained that the iPhone 13 lineup will feature hardware that is able to connect to LEO satellites. If enabled with the relevant...
maxresdefault

New MacBook Pro Models Coming at WWDC, Suggests Leaker

Monday May 24, 2021 1:27 pm PDT by
New MacBook Pro models are coming at WWDC, according to leaker Jon Prosser who has a mixed track record when it comes to predicting Apple's plans. Subscribe to the MacRumors YouTube channel for more videos. Prosser provided no additional information, but there are new 14 and 16-inch MacBook Pro models in the works. The new MacBook Pros will feature the most radical redesign to the MacBook Pro ...
omg lightning cable comparison

Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

Thursday September 2, 2021 6:59 am PDT by
A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports. The "OMG Cable" compared to Apple's Lightning to USB cable. The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a...
ted lasso notchless phone

No, That Notchless iPhone Spotted in 'Ted Lasso' Isn't the iPhone 13

Tuesday August 31, 2021 2:15 am PDT by
Recent sightings of a notchless iPhone in highly popular Apple TV+ comedy "Ted Lasso" have led to sensational headlines suggesting this is a canny bit of product placement on Apple's part and that the iPhone 13 will be notchless. In actuality – and this could go without saying – the phone in question is very likely just showing a poorly superimposed display added in post-production. Notchless ...
calculatorapp

iOS 11 Bug: Typing 1+2+3 Quickly in the Calculator App Won't Get You 6

Tuesday October 24, 2017 2:03 pm PDT by
A bug in the built-in Calculator app in iOS 11 is getting some major attention this week, despite the fact that it's been around since iOS 11 was in beta testing. At issue is a calculator animation that causes some symbols to be ignored when calculations are entered in rapid succession. You can try it for yourself: Type 1+2+3 and then the equals sign into the Calculator app quickly. Due to...