Bug in Philips Smart Light Allows Hopping to Devices on the Network- Comment

It has been reported that security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.

Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.

The good news is that the vulnerability has already patched by Philips and was released on the 13th of January. Users that have automatic updates enabled on their bridges have already got the patch applied. Those who have not enabled automatic updates or are unsure if they have, should check what their status is on the Hue System in the Hue app (Settings -> Software update -> Automatic Update). It is highly advisable to turn the automatic updates on as you do not want to miss any security improvements now or in the future. Furthermore, there are other perks to having automatic updates switched on. This includes ensuring you do not miss out on quality, security or performance improvements, as well as guaranteeing that your Hue System stays compatible with new Hue products.”