Security researchers discovered a vulnerability in the Philips Hue smart bulbs that may allow hackers to infiltrate a home’s network.
Cybersecurity firm Check Point revealed the exploit through a blog post, where it detailed the method of attack that hackers may use to take advantage of the bug.
The first step in the hack, which is made possible by a remote exploit in the ZigBee low-power wireless protocol that is used on many smart home devices, is for the hacker to take control of one Philips Hue smart bulbs. By adjusting the bulb’s color and brightness, the victim will be tricked into thinking that it is glitching out.
The smart bulb will appear as “unreachable” in the Philips Hue control app, so the victim will likely try to reset it by deleting the bulb and then reconnecting it to the app. Once the infected bulb is back online, the hacker will flood its control bridge with malware through the ZigBee exploit, then infiltrate the home network where the bridge is attached to spread ransomware and spyware, among other things.
The hack requires the victim to take action on a malfunctioning Philips Hue smart bulb, which has a good chance of happening due to the visibility of a flickering light bulb. The researchers already reached out to Signify, the parent company of Philips Hue, in November 2019 to provide information about the vulnerability, which has already been patched up in firmware version 1935144040.
Philips Hue smart bulb owners are recommended to check the software update section of the Philips Hue control app to make sure that the latest version of the software has been installed. It should not be an issue if automatic updates are enabled, otherwise, owners will need to manually download the new firmware version.
Check Point, in a joint decision with Signify, further delayed the release of the full technical details of the vulnerability. This delay is intended to give people sufficient time to update their Philips Hue smart bulbs, in order to protect themselves from hackers trying out the attack especially after its full details are eventually released by Check Point.
- Why are hackers snooping on smart home security cameras? I asked an ex-hacker
- Hackers expose personal details of 10 million MGM hotel guests
- WhatsApp fixes bug that could have allowed hackers to read your desktop files
- Ring’s defense of recent hacks is as shoddy as its security, lawyer claims
- There’s a major Android bluetooth security flaw. Here’s how to fix it