Researchers from Check Point Software have released the details of a particularly nasty vulnerability in the Zigbee smart home protocol that has the potential to take over your Wi-Fi network and inject malware into the things connected to it. This is notable because many smart home and Internet of Things products use Zigbee, including the Philips Hue lamps and bridge that a lot of people own.
The good news is that the vulnerability was patched in your Hue setup before details were made public because Check Point contacted Philips immediately after it figured this mess out. In fact, it's been patched by a firmware update you probably already received.
The bad news is that you might own other devices that use Zigbee and they aren't yet patched. And might never be.
How it works
- An attacker is able to use the ZIgbee exploit to take control of a lamp connected to your Hue Bridge.
- The attacker then messes with the settings of the lamp and does things like randomly change colors or brightness, making you think the bulb is glitched.
- You remove the lamp from the Hue app, then let it be rediscovered.
- The attacker then can use the "infected" lamp to take over your hub and install a piece of malware onto it.
- This malware can allow the hacker to connect to everything on the same network and try to spread something like spyware or ransomware to smarter devices, like a computer or smartphone using other known exploits.
Check Point and Hue worked to patch the Hue Hub in mid-January. You should have received an automatic update to the Hub with this patched software by now and none of this works anymore.
Check to make sure you're safe
Checking to make sure you're safe is easy — open the Hue app and look in the Settings > About section to make sure you Hub/Bridge is on firmware version 1935144040 or later. If so, you're good.
If you're not on patched firmware, you can open the Settings > Software Update screen and you'll find an update waiting. Install it.
Internet of Things devices are notoriously insecure and this is a perfect example of why that matters. Philips quickly and responsibly patched this exploit and Zigbee will patch against it in the next version of the protocol; though it's the manufacturer who has the responsibility to patch devices themselves.
Most don't. That's why we recommend products from companies that understand the importance of IoT security, like Signify (Philips' parent company) or August (opens in new tab). Someone sitting outside your house turning your lights from blue to red is simply an annoyance, but that unfolding to a situation where the next time you turn on your PC it's locked down until you pay a hefty ransom to a hacker to decrypt the file system is pretty serious.
Companies like Google, Samsung, and BlackBerry are working hard to make the Internet of Things more secure, but it's a long slow process because the foundation of it all uses so many different parts. But it's something that has to be done before things like self-driving cars or even self-reading water meters become commonplace.
Smart and Secure Lighting
Philips Hue White and Color Ambiance Smart Bulb Starter Kit
Light up your house the smart — and secure — way.
Philips Hue is one of the leaders in smart home lighting and this kit will get you set up with everything you need to get started. The starter kit includes four color-changing bulbs and the Hue Bridge to control them. Setup is a breeze and the auto-update feature means you get the latest security fixes as soon as they are available.
So how much of this is a zigbee protocol bug and how much of this is a Hue implementation bug? Meaning, is the bulb take-over an issue for all Zigbee devices, just Zigbee LightLink devices, or just Hue bulbs? I don't know how much of a common code base these zigbee devices actually use. Hue has added various "special" features over the years to try and make the Hue hub not link to non-Hue products and/or Hue bulbs not link to non-Hue hubs so they aren't exactly "stock" zigbee devices.
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.