A team of researchers just revealed that it’s possible for a rogue light bulb to hijack your Philips Hue bridge—and, in turn, your entire network—using a vulnerability in the Zigbee wireless protocol. The good news? Your bridge has probably already patched itself.
Check Point Research published its findings on Wednesday, three months after alerting Signify-owned Philips Hue of the vulnerability. Signify confirmed the security hole and released a patch for the Hue Bridge in January. If your bridge is online and you’ve enabled automatic updates, the patch should already be installed.
Also, a Philips Hue rep told TechHive that Hue bulbs manufactured since 2018 aren’t vulnerable to the attack.
How to make sure your Hue bridge has been patched
- Open the Hue app, then tap Settings > Software update.
- Wait for the spinning wheel to finish doing its thing, then check the firmware number for your Hue Bridge. If your bridge is on firmware patch 1935144040 (which was released on January 13, although your actual install date may be different), you’re in the clear.
- If there's a pending update for the bridge, install it.
More details on the vulnerability
According to Check Point, hackers can exploit the Zigbee vulnerability by taking control of an older Hue bulb and making it turn on and off or change color, in hopes of tricking the owner into thinking something’s amiss with the bulb.
If the user removes the bulb from the Hue app and re-pairs it to the bridge, the hackers can then use the compromised bulb to send a “heap-based buffer overload” to the bridge, essentially overwhelming it with data and paving the way for a malware attack on the user’s entire network, the Check Point report says.
Check Point notes that it focused its research on Philips Hue because it’s the “market-leading” Zigbee smart-bulb manufacturer, leaving open the possibility that other Zigbee-based smart devices are open to the attack. A detailed report won’t be published until “a later date” to “give users time to successfully patch their vulnerable devices,” Check Point said. Hopefully, we'll hear soon from manufacturers of other Zigbee-enabled devices about how they have (or will) tackle the security hole.
Check Point’s findings come a few years after researchers used a drone to remotely inject a worm into a Zigbee bulb, which then allowed the worm to jump from bulb to bulb. Check Point said it used a “remaining vulnerability” from that earlier research to discover the latest exploit.