Skip to main content

Researchers develop worm to hack connected Philips Hue light bulbs

(Image credit: Image Credit: Frank Gaertner / Shutterstock)

Philips Hue light bulbs could be vulnerable to a cyber attack, according to researchers who have developed a proof-of-concept worm capable of spreading from bulb to bulb with the power to turn the lights on and off.

The researchers efforts at gaining access to the connected light bulbs was detailed in their paper titled IoT Goes Nuclear a ZigBee Chain Reaction. The worm they created was able to gain access to the Philips Hue devices by exploiting hard-coded symmetric encryption keys that are used to control devices over Zigbee wireless networks.

The worm is able to spread from a single bulb to those in its vicinity through the use of skeleton keys and the malware could even infect another light bulb from over 400 metres away.

The task of exploiting Philips' connected light bulbs was carried out by Eyal Ronen, Adi Shamir and Achi-Or Weingarten who are all researchers at the Weizman Institute of Science in Israel. The team also gained additional help from Colin O'Flynn of Dalhousie University in Canada.

Philips has since released a firmware patch for its Hue connected bulbs, though for users to receive the patch they first need to install and configure the Philips Hue app. Unfortunately, this must be done before an attack occurs as the worm has the ability to override any potential updates.

The researchers offered further insight on how their malware operates and is able to infect Philips Hue light bulbs, saying: “The worm spreads by jumping directly from one lamp to its neighbours, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.”

Though the worm was designed as a proof-of-concept, it highlights how unsecure many current connected devices are and the need for heightened security in IoT devices.

Image Credit: Frank Gaertner / Shutterstock

Anthony Spadafora
Anthony Spadafora

After getting his start at ITProPortal and then working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches to how to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.