Australia markets closed

Philips patched a longstanding Hue bulb security flaw

Christine Fisher
Contributing Writer
Signify

Philips and its parent company Signify have patched another Hue smart light bulb vulnerability. Fortunately, the flaw was discovered by security researchers at CheckPoint Software, and it's unlikely that it was exploited in the wild. But this isn't the first time researchers have shown how smart home products, and Hue lights specifically, could give hackers access to entire home or business networks.

The researchers discovered that they could take control of a Hue light bulb and install malicious firmware. Then, they'd be able to mess with the light, changing color and brightness. If the user tried to reset the bulb, by deleting it from the app and then reconnecting it, the hackers would be able to deploy the malicious firmware and use the ZigBee protocol to connect to the targeted business or home network. Finally, the hackers would be able to spread ransomware or spyware throughout the network.

CheckPoint notified Philips and Signify of the vulnerability in November, and Signify issued a patch (Firmware 1935144040) several weeks ago. If your Philips Hue Hub is connected to the internet, it should have automatically updated, but it is worth double checking.

According to Signify, Hue lights produced in 2018 or later do not include the vulnerability. "There is very limited risk to users but they should always make sure their Philips Hue products have been updated to the latest software version," Signify said in a statement provided to Engadget.

This may all sound familiar. In 2016, hackers hijacked Philips Hue lights with a drone using a ZigBee weakness. Philips issued a firmware update, but again in 2017, researchers proved they could take over the smart light bulbs using ZigBee. This current exploit uses the same vulnerability found in 2017. Signify patched the vulnerability then, but researchers found another way to take advantage of it.

As The Verge notes, the Zigbee protocol used in this exploit is also used by other smart home brands, like Amazon's Ring, Samsung SmartThings, Honeywell thermostats and Comcast's Xfinity Home alarm system. While those products aren't necessarily at risk, the Philips Hue vulnerability does raise the question of how safe our smart home products really are. If you're worried about your connected devices, you can check out our guide to keeping your smart home secure.