Sorry if this is the wrong place. I also search for philips hue and latest topics. Didn’t see anything mentioned here regarding this security breach.
I want to make the effort to inform Philips Hue product owners to update their firmware.
A serious vulnerability in software from Philips Hue lamps allowed hackers to take over the lamps and monitor traffic on the connected Wi-Fi network. The leak was discovered by researchers atCheck Point Security
Earlier, researchers demonstrated that they could take over the Philips hue lamps. They could turn the lights on or off and change color. Now they have also managed to gain access to other devices within a Wi-Fi network through this vulnerability.
According to the researchers, this leak could potentially spread ransomware and spyware to other devices within the network. It is not known whether that happened.
The researchers reported the leak to Philips in November 2019. The company has now released an update to close that leak.
Anyone who owns a Philips Hue lamp is advised to update the software for the lamps. You can check whether you have the latest version via the app. The update for the vulnerability is in firmware version 1935144040.
Thanks for the heads up, I’ve checked the firmware of my Philips Hue bulbs and they are running firmware 1.53.3-27175, I have no idea what date this firmware is, so I’ll have to check what date it was released.
Do you know Philips Hue Lamps running on other Hubs such as the Ikea hub would be vulnerable?
One has to distinguish between the firmware for the bulbs and the firmware for the hub. There are many bulbs and there are two versions of the hub.
Firmware 1935144040 is for the v2 hub. (I have the v1 hub and both it and my bulbs appear to have the latest firmware available for them. Whether that is because the v1 is not vulnerable, or because Philips/Signify can’t be bothered with the v1, I dunno.)
On further investigation my bulbs’ firmware aren’t listed in the meet-hue website release notes. I have three bulbs that were in the original starter’s pack I bought, probably around 2013. They are all model LCT001 and have firmware 5.127.1.26581, the other is model LCT007 and has fw 5.127.1.26420. Searching those number leads to some smartthings forum where they are discussed.
Anyway, they do what they are told, that’s the main thing.
I read that article too. It would be interesting to hear from a neutral third party exactly how big a risk this might be in the real world.
How common are the conditions they demonstrated in the lab? What sort of obstacles would a hacker need to overcome to produce the same results? Would they need physical access to any device in my house? Would they need to hack into my network? My upstream provider?
Obviously there’s some incentive for the authors of this kind of article to inflate the urgency. I’m not saying they’ve done that, but it would be good to get a second opinion before panicking.
I read the article too, and it sounds like hue is the least of our worries really (those of us that have other zha devices anyways). I am very curious about this… don’t believe it is tin hatting when there are unpatched exploits in the wild.
It sounds like some work may be needed on securing the way zha hubs work with ha? Like not allowing certain things to happen over zha?
No physical access needed allegedly… and no lan needed either. Just need your hub to be part of the lan, and they can get in. I’m also curious to hear just how easy/hard this is. Sounds easy at first blush though.
I don’t think the discussion should be likelihood of you being hacked. It’s more that Philips confirmed the potential of someone exploiting the bug and that there’s been a fix/patch released. That was also more the reason why I shared this to help philips hue owners raise awareness that there’s a released marked as important by Philips too.
Agree that the real action item here is for Hue owners to install the patch.
For me (not a Hue owner) it’s more about general knowledge. I always want to understand the how’s and why’s of a report like this. I like to decide for myself if it’s urgent, and if there’s a broader lesson here that I can apply to other situations.
Even the article said they more or less picked Hue at random to try hacking. This sort of implies that ANY similar system, subject to the same level of effort, might also have weaknesses.
From CheckPoint’s own video, local access to the Zigbee mesh is required. In order to deliver the exploit, they are running a python script targeting the IP address of the local Hue bridge.
Philips did patch it though.
Like what certain things and what securing methods? ZHA is already pretty secure in terms of not allowing wardriving because a join has to be initiated via the controller (it’s even more secure on ZLL meshes). Enhanced security is part of the Zigbee-PRO spec and has been enabled on most coordinators.
Now, if someone is able to get to your local instance of HA (or Hue) to allow the join request, that’s quite different as that’s a network breach and something that should be handled at the router/firewall level. But, being able to hack into a Zigbee network, that takes quite a bit of expertise and there are very few products out there even capable of doing it (ZigDiggity and KillerBee both come to mind). However, both of those frameworks still require someone to be close enough to your property to be able to sniff the traffic and/or penetrate the mesh. I don’t know about you, but if someone is sitting anywhere close to my property with a device in their hand, then I’m coming out with gun in hand to ask some questions.
That depends on the weakness. Zigbee is a low-power protocol which means someone needs physical access to be able to even begin to hack your mesh. Now, if it were a downloaded firmware (like Osram, Cree and GE bulbs all utilize), that’s a different story and personally, that’s on the user to validate where they are downloading firmware from. An IoT device is no different than a computer when it comes to downloading updates; people need to be conscious of what they are downloading and from where.
To all who mentioned that the Phillip’s Hue thing alone being patched is an actionable item, yes I agree, however only one other reply mentioned something else important to the rest of us that was mentioned in the article. They hand picked hue like one would choose windows, or iphone… lots of devices and a responsible company. They knew Phillip’s would respond and patch it. They didnt pick say, aquara devices because they know the end result would not be so great when the info goes public. The researchers even said specifically other devices would be much easier to exploit.
So to be clear, I think the news for hues owners is benign compared to what it entails for owners of the ‘lesser zha devices’. In fact, I have little faith that my aquara devices will ever be patched against this, do you?
I don’t have much critical info on my network that a hacker would want, but that won’t stop the script kiddies from deleting my family photos. If that is a possibility running aquara or other unpatched zha devices, it isn’t worth the benefits I get using those devices. In my case, I only have 5 zha devices I’d have to swap out. I feel bad for others who may just end up deciding to cross fingers over this one.
Did you read the answer from @code-in-progress
I wouldn’t worry too much, as a hacker would need to be close to your house to hack into the zigbee network and even then it is not easy.
I thought the patch was for both versions. I remember reading about that on Hue’s site. I know the V1 goes into EOL in April of 2020, but I would have thought they would have patched both hubs.
Check Point picked Hue because they are the largest when it comes to smart home sales of products with Ikea being a close second. They also never said other devices would be much easier to exploit. In fact, most of this article is pretty much a sales pitch for their “recently acquired technology”. The actual quote from the article is
“Check Point is the first vendor to provide a consolidated security solution that hardens and protects the firmware of IoT devices. Utilizing a recently acquired technology Check Point allows organization to mitigate device level attacks before devices are compromised utilizing on-device run time protection.”
That’s the secondary reason why they picked Hue; To sell a product. Businesses know Signify and it’s IoT products.
True, but the real issue here is access to one’s local mesh (unless we are talking about downloaded firmware in which case that’s still on the user to verify where they are downloading the firmware from).
This is the #1 reason for having secure VLANs. Were someone to breach my network, they’d be stuck on a VLAN that has no access to the Internet nor my other VLANs. They would be sitting on a virtual island with no escape in terms of accessing my personal data (or other critical devices). Every consumer router now a days should have at least basic VLAN and firewall support (I know, they don’t), but smart home consumers should be looking for routers that do support this functionality and make use of it.
Bottom line is yes, there are going to be vulnerabilities in every network. But, this one in particular is rather benign (and difficult to exploit in the wild) and is being pushed hard by Check Point to sell a product.
Agreed, it is access to mesh that is the concern, and vlans are an effective mitigation. I just wish vlans were more common… I have to use DIY scripts on my Asus Merlin router for that. Ddwrt is better but then you don’t get accellerated qos.
Maybe this zigbee thing is just what we need to stimulate development of vlan features in commercially available router settings.
