New study details a security flaw with Philips Hue smart bulbs

In a paper titled "IoT Goes Nuclear," researchers detail how web-connected Philips Hue smart bulbs could be maliciously hacked to create a "city-wide bricking event." Representatives from Philips claim that they addressed the concern with a security update earlier this year.

Ry Crist Senior Editor / Reviews - Labs
Originally hailing from Troy, Ohio, Ry Crist is a writer, a text-based adventure connoisseur, a lover of terrible movies and an enthusiastic yet mediocre cook. A CNET editor since 2013, Ry's beats include smart home tech, lighting, appliances, broadband and home networking.
Expertise Smart home technology and wireless connectivity Credentials
  • 10 years product testing experience with the CNET Home team
Ry Crist
2 min read

Less than two weeks after a massive botnet attack powered largely by insecure web-connected home devices brought much of the internet to a temporary standstill, researchers are detailing an apparent security flaw with Philips Hue smart bulbs, and potentially other devices that communicate using ZigBee transmissions, too.

Enlarge Image

Researchers flew their hacking device next to this building using a drone, and were able to force the lights to flash.


The report, titled "IoT Goes Nuclear," explains how researchers from Israel's Weizmann Institute of Science and Dalhousie University in Halifax, Nova Scotia, Canada, were able to remotely hack Philips Hue bulbs from either a car or a drone at a distance of 229 feet (about 70 meters). Their method involved tricking the lights into accepting a malicious firmware update -- from there, the hackers were able to take control of the bulbs and force them to flash against their will.

That might not sound so bad, but the researchers warn that their technique could be used to control massive amounts of lights all at once in a densely populated area, which could theoretically be used to damage a city's electrical grid.

Researchers also point out that they were able to pull off their hack with just a few hundred dollars of common equipment, and without needing to intercept an actual firmware update from Philips. As they put it, "this demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product."

The good news is that the researchers disclosed their hack to Philips earlier this year, and the company responded by quietly issuing a security update to address the issue before anything was made public.

"The academics with whom we cooperated merely demonstrated the possibility of an attack," a Philips Lighting representative told me. "They did not create a virus nor disclose information necessary for someone else to do so. Their research findings helped us develop and roll out the software update."

"We recommend all customers install the latest software update via the Philips Hue app, as with any other update that we release, despite assessing the risk to Philips Hue products as low."