We have bad news for you. Thanks in part to a several-year-old vulnerability in ZigBee, security researchers have demonstrated the ability to compromise an entire home network through a Philips hue system. Thankfully, there’s also good news: the security researchers responsibly disclosed their findings to Signify (the company behind Philips Hue), and there’s a patch. You should check your Hue Firmware right now.
In 2017, researchers found a vulnerability in the ZigBee protocol that allowed hackers to compromise a single smart bulb. Frustratingly, that vulnerability exists to this day. You might think a single compromised smart bulb wouldn’t be a major concern. But now security researchers at Checkpoint have shown that a bad actor could compromise an entire network through a single bulb.
The process is shockingly simple as demonstrated in the video above. First, the hacker needs to compromise a single Philips Hue bulb using an existing bug in the ZigBee protocol. Doing that will pull the smart bulb off the network, but that’s part of the plan. Once they control the bulb, the hacker implants malware in the bulb and changes its color.
Now that the bulb is “the wrong color,” the target will likely notice it and realize they can’t change it back. Naturally, they’ll take the usual troubleshooting steps of deleting the bulb from the Hue app, and re-paring it (the smart home equivalent of turning it off and on again).
And that’s just what the hacker is hoping for; the unwitting victim just invited malware onto their network. From there, a hacker can infect other bulbs, the Hue Bridge, and possibly other devices on the network. In the unlikely scenario that the victim plugs a computer into the Hue Bridge, a hacker could compromise that too.
All of that is terrible. But thankfully, Checkpoint responsibly disclosed its findings to Signify, and the company created a patch to prevent that sequence of events. Unfortunately, Signify can’t make changes to the ZigBee protocol, so the original vulnerability still exists.
Signify marked the patch as an automatic update, so if you own a Philips Hue Bridge, you shouldn’t have to do anything. But considering the serious nature of the vulnerability, it might be wise to check your Hue Bridge firmware to ensure it already took the update. And if it hasn’t, push the firmware manually.
Unfortunately, the danger of introducing new devices to your network always runs the risk of introducing new vulnerabilities and methods of attack, as well. As the smart home world continues to grow, we’ll likely see more instances like this, not fewer. Hopefully, other companies follow Signify’s lead and respond quickly to disclosed vulnerabilities.