A new report this week revealed that your cool smart light bulbs from Philips are potentially vulnerable to hackers — in fact, your whole Wi-Fi network could be compromised. So take our word for it: update now.
This news comes from cybersecurity research firm Checkpoint, which published a blog post exposing the flaw. When this was originally pointed out several years ago, companies found a way to stop what was at the time a bulb-hopping attack. Checkpoint says that, while this fix was deployed at the time, the basic vulnerability in the Hue bulb is still there, and can still be used for mischief.
To make this work, a hacker would have to take control of one bulb, then fiddle with its color and brightness enough to make the owner think something was wrong with it. The owner would have to delete, then “rediscover” the infected bulb on their app, at which point it would flood the control bridge with malware via a vulnerability in the device’s Zigbee protocol. From there, the hacker can infiltrate the home network to which the bridge is attached.
Here’s how it looks in action:
It’s kind of an esoteric attack, and relies on the victim attempting to reconnect the malfunctioning bulb to the app. But it can work, and that’s a problem. And since Zigbee is used by multiple smart home brands — its website lists such brands as Amazon Echo, Samsung’s SmartThings, and IKEA’s smart lighting devices. But at least we know Philips has tried to fix the problem.
Double-check to make sure your Philips Hue Hub is updated to firmware version 1935144040. This is the patched version Philips released last month, and you can find out whether you have it by checking the “software update” part of the Hue app’s settings menu. Hopefully most of you Philips owners (and anyone else with a Zigbee-based device) get your updates automatically, and you’ll already have it by now.
And if one of your Hue bulbs starts malfunctioning, flickering, etc… I don’t know, maybe throw it out a window, just to be safe?
Pssst, hey you!
Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.