Taking control of a network by hacking a Philips Hue bulb

An information security firm reported the finding of a new vulnerability in Philips Hue devices that, if exploited, would allow a hacker to take control of a light bulb to turn it on or off at will, change light color, brightness intensity, among other tasks. The flaw is remotely exploitable using only a laptop with radio transmitter included.

According to the report, the vulnerability lies in the communication protocol Zigbee, used in Philips Hue and other home devices with Internet connection, such as smart speakers, locks, thermostats, among others.

Information security experts found a way to deploy a privilege escalation attack from Philips Hue. Depending on the skills of the hackers, an entire local network could even be compromised. The attack consists of the following steps:

  • The threat actor exploits the original vulnerability to take control of a single Philips Hue
  • The targeted user loses control over the affected device, which is disconnected from the network
  • The user scans for the Philips Hue again and re-adds it to the network
  • The Philips Hue, now infected, is used by the hacker to access the Hue bridge
  • From that point, hackers can access the network and even connected computer equipment

If hackers manage to access a computer on the network, they may install malicious software, such as keyloggers or some variant of ransomware. Information security experts regularly reported these vulnerabilities to Signify, the company that owns the Philips Hue brand, which was quick to release a security patch, which is already available.

Although the flaw that allows access to the network was corrected, experts from the International Cyber Security Institute (IICS) report that, because the original vulnerability resides in the bulbs, it cannot be corrected with software updates, so full mitigation of this security risk would require the launch of a completely new light bulb; however, the fix released by the company ensures that hackers fail to access the network from the attack against the device.