Philips Hue susceptible to hack, vulnerable to blackouts (update)
Oh, Philips. Why'd you have to make it so easy for ne'er-do-wells to go full Aiden Pearce on Hue smart light users? A recent study by researcher Nitesh Dhanjani reveals that Hue's control portal -- known as the bridge -- uses a shoddy authentication system when communicating with smartphones and computers. That system uses the bridge's MAC address, which is easy to detect. As such it's also easy to hack the device and cause a blackout.
In Dhanjani's demo video below, he introduces malware into the bridge through a compromised website. This lets him find the right MAC address and take control, turning the lights off again and again, ad infinitum, regardless of the switch's status. Sure, there's no immediate threat of widescale blackouts -- smart lighting has yet to be adopted en masse, after all -- but this is a security issue companies need to address, especially since lighting plays such a critical safety role.
Update (08/17/2013): In a statement sent to Engadget, a Philips Lighting spokesperson says:
In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to lighting systems. An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is very limited security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure. However, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our main advice to customers is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue.
