A new vulnerability has been discovered in the Philips Hue smart lighting system that could let hackers gain access to the local host network and other devices connected to it.


Discovered by Check Point Research and demonstrated in a video, the flaw relates to the Zigbee communication protocol used by Philips Hue bulbs and a number of other smart home devices, including Amazon's Ring, Samsung SmartThings, Ikea Tradfri, and Belkin's WeMo.

According to the security researchers, the vulnerability could allow a local attacker to take control of Hue light bulbs using a malicious over-the-air update and cause the bulbs to exhibit random behavior and become uncontrollable. If the user then deletes the bulb and re-adds it in the Hue app, the attacker is able to gain access to the Hue bridge.

The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.

Every Philips Hue Hub connected to the internet should have automatically updated itself to version 1935144040, which patches this specific vulnerability. Users can check themselves by looking to see if any updates are available for the Hue app.

The flaw actually relies on a vulnerability that was originally discovered in 2016 and which can't be patched, as it would require a hardware update to the smart bulbs.

"Many of us are aware that IoT devices can pose a security risk," said Yaniv Balmas, Head of Cyber Research at Check Point Research. "But this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."

Tags: Philips, Philips Hue

Top Rated Comments

Suckfest 9001 Avatar
Suckfest 9001
50 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Yeah instead of fixing the issues and continuing to enjoy smart devices, let's go back to the stone age, I agree. Hang on, I'll get the candles lit and then we'll go out hunting
Score: 9 Votes (Like | Disagree)
4jasontv Avatar
4jasontv
50 months ago

So what a hacker is going to change the color of my lights :oops:
They get access to the machines on the same network.
Score: 3 Votes (Like | Disagree)
Mike MA Avatar
Mike MA
50 months ago

Even more reason not to have such a ludicrously high level of connected devices. ;)
Or just doing an update like you do on your smart watch, phone, laptop, TV or tablet? Or did you abandon those as well after their first security flaw?
Score: 3 Votes (Like | Disagree)
BMcCoy Avatar
BMcCoy
50 months ago
Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
Score: 3 Votes (Like | Disagree)
Rigby Avatar
Rigby
50 months ago

Are you sure about that? I have separate 2.4 and 5 GHz networks, and some of my devices are on the 2.4 and some on the 5, but they all still communicate with each other. Would it be the same with a VLAN?
No. In your case both Wifi bands are connected to the same IP subnet, so they are not isolated at all. When using VLANs with Wifi, you'd typically use multiple Wifi SSIDs and connect them to different VLANs.
Or is the entire idea that you can’t communicate across that barrier?
Yes, that's the point. Once you have set up separate VLANs (which are used to create separate IP subnets), you can control the traffic flow between them by setting up routing and firewall rules between them with an appropriate router. It does require some networking knowledge.
Score: 3 Votes (Like | Disagree)
imola.zhp Avatar
imola.zhp
50 months ago

So what a hacker is going to change the color of my lights :oops:

How far is too far with connected devices, lightbulbs, door locks, doorbells, refrigerators, toasters. Do we really need all that much connectivity?

They get access to the machines on the same network.

Even more reason not to have such a ludicrously high level of connected devices. ;)

Given this is down to a Zigbee vulnerability there are non IoT ramifications. Many alarm systems use Zigbee for their sensors to talk to the control unit. Using the same underlying vulnerability could you trick a sensor into saying everything is fine when it isn’t?
Did any of you read the article? To gain access to the ENTIRE network the device must first be compromised and unresponsive, then you must take action to remove that device and re-add it to your zigbee hub. Only at that point, as I understand it, your network becomes infected.

So if you have a zigbee device that goes unresponsive, be very weary of it. We've been running zigbee devices for too many years to count and I haven't had one go unresponsive yet (knocks on wood). So thank you MR for this tip that if one ever does go unresponsive it needs to be dealt with accordingly.


Given the frequency of vulnerabilities being found in internet connected devices, is it reasonable to connect all such devices to your router’s ‘guest’ network, rather than your core Wi-Fi network, which holds your computer/PC/iPad/phone?

Would that restrict access to devices on the guest network only, if compromised and hacked? ie your core computers would be safe..
I keep seeing this suggestion but I can only picture how frustrating this would be in reality.

Lets put the Hue Hub on a secondary network.
Start with HomePod. Tell one of our HomePods to turn on or off a Hue device, but now it cant because the Hue Hub is on our secondary network. Hmm...
Ok so lets put the HomePods on that secondary network. But if the HomePods are on the secondary network I cant stream audio from my phone or ipad to the HomePod because those devices are on the primary network. I also cannot stream audio from apple TV to homepods.
Ok so lets put the apple TV's on that secondary network. But if apple TV's are on the secondary network then I cant stream movies and TV shows to the apple TV's from my mac Mini that acts like a pseudo-server.
Ok so lets put the mac mini to that secondary network. But now all we have left on the primary are phones, ipads and a rarely used macbook pro that is usually asleep. We still cannot stream anything from those devices to the HomePods or Apple TV's but hey, we're more secure, right? If we move phones and ipads to the secondary network all we have left on the primary is that rarely used 2010 MacBook Pro that is usually asleep; but again, more secure!
Or you have some crazy combo here and your constantly switching from primary network to secondary network wasting so much time to avoid a very small chance you'll ever be hacked.
Score: 3 Votes (Like | Disagree)
Read All Comments

Popular Stories

apple card 1

Apple Ending Apple Card Partnership With Goldman Sachs

Tuesday November 28, 2023 3:09 pm PST by
Apple is ending its credit card partnership with Goldman Sachs, according to The Wall Street Journal. Apple plans to stop working with Goldman Sachs in the next 12 to 15 months, and it is not yet clear if Apple has established a new partnership for the Apple Card. Apple and Goldman Sachs will dissolve their entire consumer partnership, including the Apple Card and the Apple Savings account....
Read Full Article438 comments
iOS 17

Everything New in iOS 17.2 Beta 4

Tuesday November 28, 2023 12:18 pm PST by
Apple is wrapping up development on iOS 17.2, with the update expected to come out in December. While we're getting to the end of the beta testing period, Apple is still tweaking features and adding new functionality. We've rounded up everything new in the fourth beta of iOS 17.2. Default Notification Sound Under Sounds & Haptics, there's a new "Default Alerts" section that allows you to ...
Read Full Article39 comments
iOS 17

Apple Releases iOS 17.1.2 With Security Fixes

Thursday November 30, 2023 10:12 am PST by
Apple today released iOS 17.1.2 and iPadOS 17.1.2, small updates to the iOS 17 and iPadOS 17 operating systems that Apple introduced in September. iOS 17.1.2 and iPadOS 17.1.2 come a few weeks after the release of iOS 17.1.1, another bug fix update. iOS 17.1.2 and iPadOS 17.1.2 can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update....
Read Full Article90 comments
Apple 5G Modem Feature Triad

Apple to Discontinue Custom 5G Modem Development, Claim Reports

Wednesday November 29, 2023 4:19 am PST by
Apple is discontinuing in-house modem development after several unsuccessful attempts to perfect its own custom 5G modem chip, according to unconfirmed reports coming out of Asia. According to the operator of news aggregator account "yeux1122" on the Naver blog, supply chain sources related to Apple's 5G modem departments claim that the company's attempts to develop its own modem have...
Read Full Article224 comments
All New CarPlay Five New Features Article 2

What to Expect From All-New CarPlay, Still Listed as Coming 'Late 2023'

Tuesday November 28, 2023 7:44 am PST by
At WWDC in June 2022, Apple previewed the next generation of CarPlay, promising deeper integration with vehicle functions like A/C and FM radio, support for multiple displays across the dashboard, increased personalization, and more. Apple's website still says the first vehicles with support for the next-generation CarPlay experience will be announced in "late 2023," but it has not shared...
Read Full Article95 comments
Apple Logo

Apple Discontinued These 5 Products This Year

Monday November 27, 2023 7:03 am PST by
As the end of 2023 nears, now is a good opportunity to look back at some of the devices and accessories that Apple discontinued throughout the year. Apple products discontinued in 2023 include the iPhone 13 mini, 13-inch MacBook Pro, MagSafe Battery Pack, MagSafe Duo Charger, and leather accessories. Also check out our lists of Apple products discontinued in 2022 and 2021. iPhone Mini ...
Read Full Article
iOS 17

iOS 17.1.2 Update for iPhone Likely to Be Released This Week

Monday November 27, 2023 8:24 am PST by
Apple will likely release iOS 17.1.2 this week, based on mounting evidence of the software in our website's analytics logs in recent days. As a minor update, iOS 17.1.2 should be focused on bug fixes, but it's unclear exactly which issues might be addressed. Some users have continued to experience Wi-Fi issues on iOS 17.1.1, so perhaps iOS 17.1.2 will include the same fix for Wi-Fi...
Read Full Article55 comments
iOS 17

28 New Things Your iPhone Can Do in December's iOS 17.2 Update

Friday December 1, 2023 2:57 am PST by
Apple made the first beta of iOS 17.2 available to developers in October. Since then we've seen three more betas, and with each iteration Apple continues to add more new features and changes, many of which users have been anticipating for quite a while. Below, we've listed 28 new things that are coming to your iPhone when the finalized version is publicly released this December. 1. Help...
Read Full Article153 comments