A new vulnerability has been discovered in the Philips Hue smart lighting system that could let hackers gain access to the local host network and other devices connected to it.
Discovered by Check Point Research and demonstrated in a video, the flaw relates to the Zigbee communication protocol used by Philips Hue bulbs and a number of other smart home devices, including Amazon's Ring, Samsung SmartThings, Ikea Tradfri, and Belkin's WeMo.
According to the security researchers, the vulnerability could allow a local attacker to take control of Hue light bulbs using a malicious over-the-air update and cause the bulbs to exhibit random behavior and become uncontrollable. If the user then deletes the bulb and re-adds it in the Hue app, the attacker is able to gain access to the Hue bridge.
The hacker-controlled bulb with updated firmware then uses the ZigBee protocol vulnerabilities to trigger a heap-based buffer overflow on the control bridge, by sending a large amount of data to it. This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network.
Every Philips Hue Hub connected to the internet should have automatically updated itself to version 1935144040, which patches this specific vulnerability. Users can check themselves by looking to see if any updates are available for the Hue app.
The flaw actually relies on a vulnerability that was originally discovered in 2016 and which can't be patched, as it would require a hardware update to the smart bulbs.
"Many of us are aware that IoT devices can pose a security risk," said Yaniv Balmas, Head of Cyber Research at Check Point Research. "But this research shows how even the most mundane, seemingly 'dumb' devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware."
Philips Hue is back with a handful of new announcements at CES today, following Monday's news of a collaboration with Razer that allows your Hue lights to react to any game played on a device that features Razer Chroma. Philips continued that announcement by reiterating that even more partners across the gaming, movie, and music industries will debut in the future.
Philips calls this "Hue Entertainment," and added that a "Hue Sync" app for macOS High Sierra and Windows 10 devices will be coming in Q2 2018. Hue Sync will let you create and customize light scripts for games, movies, and music played on a Mac or Windows computer.
Also in Q2 2018, the company plans to update its iOS and Android apps with a 3.0 update that will bring about a redesign of the app inspired by comments and feedback from current Hue users. Philips said 3.0 will "enhance" existing and new features so that the smart home lighting system can be activated "with even more ease."
Design changes were not yet specified, but Philips said the new interface will allow you to "instantly access" last used scenes, as well as simplify how lights are grouped together.
Early in Q2 2018, Philips Hue will introduce a redesigned Hue app for both iOS and Android. Based on comments, feedback and ideas from Philips Hue users, the redesign will enhance both existing and new features, to help consumers light their home smarter with even more ease. The new app will improve daily use, and ensure seamless setup and integration of Hue accessories and new Philips Hue Entertainment partnership integrations. The interface will also enable consumers to instantly access their last used scenes, and to simply group lights and select their desired color temperature or color.
Finally, this summer Philips will introduce an outdoor line of Hue bulbs so that you can sync and control lighting in a backyard or elsewhere through the connected Hue app. No other information regarding the outdoor line and its price tag were given.