So is this good news or bad news? Check Point's security experts have discovered a vulnerability in the Hue system that allows you to access even computers that are shared on the network with the Hue Bridge. The vulnerability has now been resolved by Signify – at least partly.
Signify, the manufacturer of Philips Hue, was already informed about the gap in the system in November 2019. The technical explanation of the vulnerability has only now been published so that the firmware update released on January 13th can be distributed to the users.
It's best to check the settings of the Hue app to make sure the firmware of your bridge is up to date. With the version 1935144040 the vulnerability was fixed.
This is the security flaw
The fundamental flaw is found in the ZigBee protocol on which Philips Hue is built. With a radio transmitter and a computer within range of the ZigBee system you can still access and “remotely control” individual lamps. This is where the much larger security hole comes in, which the experts explain as follows:
- The hacker controls the color or brightness of the Hue lamp to fool users into thinking the lamp is malfunctioning. The Hue lamp will appear in the user's app as ‘unreachable', so he will try to reset it.
- The only way to reset the Hue lamp is to delete it from the app and then instruct the bridge to find it again.
- The bridge will detect the compromised Hue lamp and the user will reintegrate it into his network.
- The hacker-controlled lamp with updated firmware then uses the vulnerabilities of the ZigBee protocol to trigger a heap-based buffer overflow on the bridge by sending a large amount of data to it. This data also allows the hacker to install malware on the bridge – which in turn is connected to the home network.
- The malware then reconnects to the hacker and can use a known vulnerability (such as EternalBlue) to enter the target IP network from the bridge to cause damage.
With the firmware update on the Hue Bridge it was prevented that the security hole is still completely open. The bridge cannot serve as a gateway for the home network any longer.
A firmware update for the original security hole in the lamps should be available at the end of February, or at the beginning of March at the latest. According to Signify, lamps with current hardware, which probably means the models with the additional Bluetooth chip, are not affected by the security gap.