A vulnerability has been identified in the Philips Hue smart bulbs range that could be exploited by hackers to take over the networks of homes and businesses.

The vulnerability, which has been fixed via a patch issued by Philips, takes the form of a remote exploit in ZigBee, a low-power wireless protocol used in many internet of things (IoT) devices.

Discovered by Check Point Research, the vulnerability could enable a hacker to take control of a Philips Hue smart light bulb, and cause it to appear to ‘glitch’, prompting a user to attempt to fix the problem via their control app.

However, once they looked in the app, the user would find the bulb unreachable, the fix for which is to delete the bulb from the app and then rediscover it via Bridge, the control unit for Philips Hue smart bulbs.

But when the hacker-controlled smart bulb was re-added to the network, the hacker could then use the exploit in the ZigBee protocol to essentially flood the Bridge with data to trigger what is known as a buffer overflow. During this process, they could sneak malware onto the wider network the unit was connected to – and depending on the malware, could then spread ransomware or spyware.

Philips Hue vulnerability fixed in patch

The vulnerability in the Philips Hue range was discovered by researchers at Check Point, and it is not known whether any hackers made use of the exploit.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The company identified the flaw in November, and notified Philips and Hue-owner Signifiy, delaying reporting the discovery until the companies had developed and issued a patched firmware update. This was issued via an automatic update, but can also be downloaded on the Hue website.

“We are committed to protecting our users’ privacy and do everything to make our products safe. We are thankful for responsible disclosure and collaboration from Check Point, it has allowed us to develop and deploy the necessary patches to avoid any consumers being put at risk,” said George Yianni, head of technology at Philips Hue.

Wider ZigBee vulnerabilities in IoT

While the research focused only on the Philips Hue range, as ZigBee is used in a wide range of IoT devices, it is quite likely that the exploit can be used on other products.

Product ranges that use ZigBee technology include Amazon Echo, Samsung SmartThings and Belkin WeMo, but brand-specific testing will need to be conducted to determine if these devices can also be exploited in this way.

The research also highlights how mundane IoT devices can pose a severe threat to home and office networks, yet can be easily overlooked.

“Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as lightbulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, head of cyber research at Check Point.

“It’s critical that organisations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware. In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.”

Read more: UK government proposes stricter IoT security requirements