Skip to main content

Flaw in Philips Hue wireless lighting can allow unauthorised changes

Philips Hue light bulbs have been successfully compromised by a security researcher that claims they could be used to trigger a "blackout attack".

Nitesh Dhanjani, an independent security researcher, identified several vulnerabilities that exist in the internet connected light bulb system, which, if exploited, could lead to system blackouts.

The scientist’s white paper titled “Hacking Lightbulbs: Security Evaluation of the Philips Hue Personal Wireless Light System” exposes that fact that “any user on the same network segment as the bridge can issue HTTP commands to change the state of the light bulb,” according to Dhanjani.

"In order to succeed, the user must also know one of the whitelisted tokens. It was found that in [the] case of controlling the bulbs via the Hue website and the iOS app, the secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad,” Dhanjani added.

This leaves the bulbs open to hacking as the “malware on the internal network can capture the MAC address active on the wire, using the ARP cache of the infected machine".

According to The Inquirer, Philips is already aware of the problem and explained that if a home network is sufficiently protected there is no risk of infiltration.

"An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is no security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure,” a Philips spokesperson said.

Philips’ Hue lighting system was unveiled earlier on this year and gives users the ability to wirelessly control up to 50 individual bulbs using a smartphone or tablet via a Hue Bridge plugged into the wireless router.

Image Credit: Flickr (Michele Ficara Manganelli)