Latest in Gear

Image credit: Signify

Philips patched a longstanding Hue bulb security flaw

Hackers could have accessed home or business networks through compromised bulbs.
193 Shares
Share
Tweet
Share

Sponsored Links

Signify

Philips and its parent company Signify have patched another Hue smart light bulb vulnerability. Fortunately, the flaw was discovered by security researchers at CheckPoint Software, and it's unlikely that it was exploited in the wild. But this isn't the first time researchers have shown how smart home products, and Hue lights specifically, could give hackers access to entire home or business networks.

The researchers discovered that they could take control of a Hue light bulb and install malicious firmware. Then, they'd be able to mess with the light, changing color and brightness. If the user tried to reset the bulb, by deleting it from the app and then reconnecting it, the hackers would be able to deploy the malicious firmware and use the ZigBee protocol to connect to the targeted business or home network. Finally, the hackers would be able to spread ransomware or spyware throughout the network.

CheckPoint notified Philips and Signify of the vulnerability in November, and Signify issued a patch (Firmware 1935144040) several weeks ago. If your Philips Hue Hub is connected to the internet, it should have automatically updated, but it is worth double checking.

According to Signify, Hue lights produced in 2018 or later do not include the vulnerability. "There is very limited risk to users but they should always make sure their Philips Hue products have been updated to the latest software version," Signify said in a statement provided to Engadget.

This may all sound familiar. In 2016, hackers hijacked Philips Hue lights with a drone using a ZigBee weakness. Philips issued a firmware update, but again in 2017, researchers proved they could take over the smart light bulbs using ZigBee. This current exploit uses the same vulnerability found in 2017. Signify patched the vulnerability then, but researchers found another way to take advantage of it.

As The Verge notes, the Zigbee protocol used in this exploit is also used by other smart home brands, like Amazon's Ring, Samsung SmartThings, Honeywell thermostats and Comcast's Xfinity Home alarm system. While those products aren't necessarily at risk, the Philips Hue vulnerability does raise the question of how safe our smart home products really are. If you're worried about your connected devices, you can check out our guide to keeping your smart home secure.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
193 Shares
Share
Tweet
Share

Popular on Engadget

BMW's teases its iNext prototype EV during a hot-weather test

BMW's teases its iNext prototype EV during a hot-weather test

View
Senate approves $1 billion budget to help rural carriers replace Huawei gear

Senate approves $1 billion budget to help rural carriers replace Huawei gear

View
Citroën's new EV is a tiny two-seater that only costs $22 a month

Citroën's new EV is a tiny two-seater that only costs $22 a month

View
Clearview AI leak names businesses using its facial recognition database

Clearview AI leak names businesses using its facial recognition database

View
Apple's keyboard cover for the next iPad Pro could add a trackpad

Apple's keyboard cover for the next iPad Pro could add a trackpad

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr