Latest in Gear

Image credit:

Philips patched a longstanding Hue bulb security flaw

Hackers could have accessed home or business networks through compromised bulbs.
1 Shares
Share
Tweet
Share

Sponsored Links

Signify

Philips and its parent company Signify have patched another Hue smart light bulb vulnerability. Fortunately, the flaw was discovered by security researchers at CheckPoint Software, and it's unlikely that it was exploited in the wild. But this isn't the first time researchers have shown how smart home products, and Hue lights specifically, could give hackers access to entire home or business networks.

The researchers discovered that they could take control of a Hue light bulb and install malicious firmware. Then, they'd be able to mess with the light, changing color and brightness. If the user tried to reset the bulb, by deleting it from the app and then reconnecting it, the hackers would be able to deploy the malicious firmware and use the ZigBee protocol to connect to the targeted business or home network. Finally, the hackers would be able to spread ransomware or spyware throughout the network.

CheckPoint notified Philips and Signify of the vulnerability in November, and Signify issued a patch (Firmware 1935144040) several weeks ago. If your Philips Hue Hub is connected to the internet, it should have automatically updated, but it is worth double checking.

According to Signify, Hue lights produced in 2018 or later do not include the vulnerability. "There is very limited risk to users but they should always make sure their Philips Hue products have been updated to the latest software version," Signify said in a statement provided to Engadget.

This may all sound familiar. In 2016, hackers hijacked Philips Hue lights with a drone using a ZigBee weakness. Philips issued a firmware update, but again in 2017, researchers proved they could take over the smart light bulbs using ZigBee. This current exploit uses the same vulnerability found in 2017. Signify patched the vulnerability then, but researchers found another way to take advantage of it.

As The Verge notes, the Zigbee protocol used in this exploit is also used by other smart home brands, like Amazon's Ring, Samsung SmartThings, Honeywell thermostats and Comcast's Xfinity Home alarm system. While those products aren't necessarily at risk, the Philips Hue vulnerability does raise the question of how safe our smart home products really are. If you're worried about your connected devices, you can check out our guide to keeping your smart home secure.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1 Shares
Share
Tweet
Share

Popular on Engadget

Canon takes on Sony's A7 series with the full-frame EOS R6 camera

Canon takes on Sony's A7 series with the full-frame EOS R6 camera

View
Probe of failed Boeing Starliner launch finds a long list of problems

Probe of failed Boeing Starliner launch finds a long list of problems

View
Amazon has eliminated single-use plastic at its Indian fulfilment centers

Amazon has eliminated single-use plastic at its Indian fulfilment centers

View
Apple's iOS 14 and iPadOS 14 public betas are available today

Apple's iOS 14 and iPadOS 14 public betas are available today

View
iPadOS 14 hands-on: Design updates galore

iPadOS 14 hands-on: Design updates galore

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr