There was a major bug in your Philips Hue Hub, so here's how to make sure you're patched up and safe

Philips Hue Go
Philips Hue Go (Image credit: Lory Gil / Android Central)

Researchers from Check Point Software have released the details of a particularly nasty vulnerability in the Zigbee smart home protocol that has the potential to take over your Wi-Fi network and inject malware into the things connected to it. This is notable because many smart home and Internet of Things products use Zigbee, including the Philips Hue lamps and bridge that a lot of people own.

This vulnerability was patched by Philips but a lot of things use Zigbee.

The good news is that the vulnerability was patched in your Hue setup before details were made public because Check Point contacted Philips immediately after it figured this mess out. In fact, it's been patched by a firmware update you probably already received.

The bad news is that you might own other devices that use Zigbee and they aren't yet patched. And might never be.

How it works

  • An attacker is able to use the ZIgbee exploit to take control of a lamp connected to your Hue Bridge.
  • The attacker then messes with the settings of the lamp and does things like randomly change colors or brightness, making you think the bulb is glitched.
  • You remove the lamp from the Hue app, then let it be rediscovered.
  • The attacker then can use the "infected" lamp to take over your hub and install a piece of malware onto it.
  • This malware can allow the hacker to connect to everything on the same network and try to spread something like spyware or ransomware to smarter devices, like a computer or smartphone using other known exploits.

Check Point and Hue worked to patch the Hue Hub in mid-January. You should have received an automatic update to the Hub with this patched software by now and none of this works anymore.

Check to make sure you're safe

Philips Hue app settings

Source: Hayato Huseman / Android Central (Image credit: Source: Hayato Huseman / Android Central)

Checking to make sure you're safe is easy — open the Hue app and look in the Settings > About section to make sure you Hub/Bridge is on firmware version 1935144040 or later. If so, you're good.

If you're not on patched firmware, you can open the Settings > Software Update screen and you'll find an update waiting. Install it.

Internet of Things devices are notoriously insecure and this is a perfect example of why that matters. Philips quickly and responsibly patched this exploit and Zigbee will patch against it in the next version of the protocol; though it's the manufacturer who has the responsibility to patch devices themselves.

Most companies that make IoT devices will never update them.

Most don't. That's why we recommend products from companies that understand the importance of IoT security, like Signify (Philips' parent company) or August (opens in new tab). Someone sitting outside your house turning your lights from blue to red is simply an annoyance, but that unfolding to a situation where the next time you turn on your PC it's locked down until you pay a hefty ransom to a hacker to decrypt the file system is pretty serious.

Everything you need to know about Google's plan to disrupt the IoT with Android Things

Companies like Google, Samsung, and BlackBerry are working hard to make the Internet of Things more secure, but it's a long slow process because the foundation of it all uses so many different parts. But it's something that has to be done before things like self-driving cars or even self-reading water meters become commonplace.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

1 Comment
  • So how much of this is a zigbee protocol bug and how much of this is a Hue implementation bug? Meaning, is the bulb take-over an issue for all Zigbee devices, just Zigbee LightLink devices, or just Hue bulbs? I don't know how much of a common code base these zigbee devices actually use. Hue has added various "special" features over the years to try and make the Hue hub not link to non-Hue products and/or Hue bulbs not link to non-Hue hubs so they aren't exactly "stock" zigbee devices.