We have bad news for you. Thanks in part to a vulnerability of several years in ZigBee, security researchers have demonstrated that they can compromise an entire home network via a Philips hue system. Fortunately there is also good news: the security researchers have reported their findings in a responsible manner to Signify (the company behind Philips Hue), and there is a patch. You must immediately check your Hue firmware.
The process is shockingly simple, as shown in the video above. First, the hacker must compromise a single Philips Hue lamp with an existing bug in the ZigBee protocol. If you do that, the smart lamp will be removed from the network, but that is part of the plan. As soon as they control the lamp, the hacker implants malware into the lamp and changes color.
Now the lamp & # 39; the wrong color & # 39; The goal is likely to notice it and realize that they can no longer change it. Of course, they will take the usual troubleshooting steps to remove the lamp from the Hue app and reconnect it (the smart home equivalent of switching it off and on again).
And that is exactly what the hacker hopes for; the ignorant victim has just invited malware to his network. From there a hacker can infect other lights, the Hue Bridge and possibly other devices in the network. In the unlikely scenario that the victim connects a computer to the Hue Bridge, a hacker can also put that at risk.
That is all terrible. But fortunately, Checkpoint has responsibly communicated its findings to Signify, and the company has made a patch to prevent that sequence of events. Unfortunately, Signify cannot change the ZigBee protocol, so the original vulnerability still exists.
Signify has marked the patch as an automatic update, so if you own a Philips Hue Bridge, you don't have to do anything. But given the serious nature of the vulnerability, it might be wise to check your Hue Bridge firmware to ensure that the update has already been performed. And if not, push the firmware manually.
Unfortunately, the risk of introducing new devices into your network always runs the risk of introducing new vulnerabilities and attack methods. As the smart home world continues to grow, we will probably see more of these types, not less. Hopefully, other companies will follow Signify's lead and respond quickly to disclosed vulnerabilities.