Researchers Hack Philips Hue Smart Bulbs Using a Drone

schwit1 quotes a report from PCWorld: "Researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code. The drone carried out the attack from more than a thousand feet away. Using the exploit, the researchers were able to bypass any prohibitions against remote access of the networked light bulbs, and then install malicious firmware. At that point the researchers were able to block further wireless updates, which apparently made the infection irreversible. 'There is no other method of reprogramming these [infected] devices without full disassemble (which is not feasible). Any old stock would also need to be recalled, as any devices with vulnerable firmware can be infected as soon as power is applied,' according to the researchers. The researchers notified Philips of the vulnerability. The company then delivered a patch for it in October." It wasn't long ago that claiming "Drones are controlling my lightbulbs!" would have gotten you locked up for your own protection.

eventually, someone gets hurt

[turkeydance]

then someone gets sued. then some lawyers make bonus.

Networked light bulbs are useless and stupid

Not everything needs to be on the damn fucking internet.....unplug motherfuckers...

Re:Networked light bulbs are useless and stupid

[alvinrod]

These particular bulbs are capable of changing color, so there needs to be someway of controlling them that doesn't necessitate replacing the light fixture itself or running more cabling all over the place. That means they need to use some kind of wireless technology and it's easiest just to use something standard that's well documented and already has legal approval.

I suppose you could argue that the technology itself is pointless, but that could probably be said about plenty of things you consider necessary or vital as well, so there's not much point in going down that route since it's largely personal opinion or arbitrary. I suppose that this should be a lesson to hardware manufacturers that they need to consider security, or at least have some kind of physical hardware reset.

Re:Networked light bulbs are useless and stupid

[aaarrrgggh]

Well... I have a few Hue bulbs, and while the IP is properly fire walled from the Internet, the issue here is zigbee, which you can't exactly firewall as an end user. The same issues were true for X10, Insteon, and every other power line and wireless system. Sure, you aren't going to be able to hack my DMX, well... unless you have physical access...

Re:Networked light bulbs are useless and stupid

[Khyber]

This. I work in lighting, specifically LED. Making an analog RGB control is dead fucking simple and we've got wiring that already exists to handle such a thing.

Re:Networked light bulbs are useless and stupid

[geekmux]

These particular bulbs are capable of changing color, so there needs to be...

...some justification as to why we "need" color changing light bulbs, other than data mining from the app controlling it?

Yes, I agree.

Re:Networked light bulbs are useless and stupid

[djrobxx]

Old fashioned dimmers required a dimmer switch. Making a dimmer switch that could use some sort of powerline comms to send 3 integers (RGB) from switch to bulb to control hue and brightness would be utterly trivial. No new cabling required, just install a new dimmer switch and the bulb and you're done.

Have you ever used X10 / Insteon? PLC sounds good until you try to use it. Half the house is on different phases so you have trouble getting everything on the network. Then you also get issues with power strips consuming the signals, things generating interference, etc.

I'm really not a big fan of wireless either, but in practice Z-wave works a lot better.

Re:Networked light bulbs are useless and stupid

[JaredOfEuropa]

Hue uses a hub, which you can isolate from the internet if you want to. The hub is paired directly with the app or with other home automation hubs. And that is the way to keep such setups moderately safe.

Re:Networked light bulbs are useless and stupid

[JaredOfEuropa]

The bulbs themselves are not on the Internet directly, but on a Zigbee network, connecting to a Hue hub. The hub may or may not be connected to the internet (it doesn't need to be).

What I understand from the article is that the attack doesn't use the internet or exploit the WLAN, but subverts the Zigbee network. You need to be fairly close to hook into that, hence the use of a drone. Wardriving would work just as well. I'm not sure how vulnerable Zigbee networks are in general, but it must be pretty weak; I've messed with software designed to "steal" bulbs off a network (in order to add non-Hue bulbs to a Hue network)

The competing Z-wave standard will have similar issues: it is fairly easy for a device to trick itself into the network, and Z-Wave also supports wireless firmware updates (though very few actual devices implement it). At least the newer Z-Wave chips support encrypted links that make this stuff a lot harder... I guess the designers who came up with the first iteration thought that obscurity and the need for proximity were enough of a deterrent.

Re:Networked light bulbs are useless and stupid

[JaredOfEuropa]

You'd still need to run that wiring. The great thing about Hue is that it's a drop-in replacement for regular bulbs, no further installation is required.

wireless automation is bad.

[Gravis+Zero]

I'm a big fan of automation but wireless automation, especially the IoT blight is a horrible idea. If your primary defense is obscurity then accepting a broadcast from anywhere is a recipe for disaster. Wired automation is intrinsically safer because it requires physical access though I do not believe that should be it's only defense.

Re: wireless automation is bad.

[Zero__Kelvin]

No. Wired is not more secure in any measurable way, and once one has proximity it is likely to be *far less* secure because so many people believe this myth. Why would I encrypt? It isn't wireless! (God invented the VPN for a reason)

Re: wireless automation is bad.

[Khyber]

"No. Wired is not more secure in any measurable way,"

Bullshit, son. It's a little thing called PHYSICAL ACCESS REQUIRED.

Re: wireless automation is bad.

[Zero__Kelvin]

You clearly have no idea what I said. You should look up words you don't understand before responding. The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. Your security landscape model falsely focuses on external actors (exclusively at that from what I can tell) when internal attack vectors are the most commonly exploited.

Re: wireless automation is bad.

[Kjella]

The point is that physical access is usually not that much harder to get that access from within range.

Many offices are like that yes, where the access badge is just to keep random peeps from loitering for things to steal and anyone with semi-legitimate reason has access. Not every place is like that though, but disregarding that if you're talking about colored LEDs I'm mostly thinking home applications. And it's a lot harder to get access to my apartment than to get within range of my wifi. But who am I kidding, we'll probably hook it up to the IoT so it can be managed from the cloud. That puts the whole world "in range"...

Re: wireless automation is bad.

[Zero__Kelvin]

No, it absolutely does NOT mean that there is access to everything just because it is connected to the internet. Perhaps you've heard of online banking?

Re: wireless automation is bad.

[stealth_finger]

The point is that physical access is usually not that much harder to get that access from within range. Typically the use case is some in the building connecting wirelessly and some doing wired. .

That's his point. Physical access you have to be at one place, which usually has people in it. Your guy can sit anywhere and get in, he could literally be on the other side of the world and still access your shit. Security isn't all about encryption and 128 bit random passwords. Range is a big factor.

Re: wireless automation is bad.

[Khyber]

"You clearly have no idea what I said"

You clearly don't work in a facility where EVERYTHING NEEDS TO BE LOCKED DOWN. By the way, guess what most offices have over their AC unit controls? A LOCK BOX. Guess what's dead simple to put on an automated system and lock down with a similar lock box? A non-wireless LED lighting system.

Again, physical access requirements are far more secure than anything you're claiming.

Re: wireless automation is bad.

[Zero__Kelvin]

It's great that you have a niche security landscape. You should run off to a forum where others are dealing with your corner case and try to have an intelligent discussion the appropriate context!

Delivered a patch?

[smooth+wombat]

Who needs to patch a lightbulb?

Analog for the win!

$15 per bulb and they STILL suck

[JustAnotherOldGuy]

$15 per bulb and they STILL suck.

I like the part where they can make the infection "irreversible". Nice touch.

Guess what brand of bulb I won't be buying, even though it's supposedly patched?

Re:$15 per bulb and they STILL suck

[wvmarle]

I suppose that "irreversible" bit will work for any device that does not have a factory reset and allows for remote installation of firmware, thereby removing the factory default firmware and the ability to receive updates. It's quite simple to make it irreversible (easier than making it reversible) as all you do is not adding code to accept firmware updates.

Statement from ZigBee

[almeida]

ZigBee issued a press release today about this. They say the attack exploited a bug in one vendor's implementation of the protocol, not a weakness in the protocol itself.

Re:Statement from ZigBee

[stealth_finger]

So, basically they were holding it wrong?

Re:Statement from ZigBee

[geekmux]

So, basically they were holding it wrong?

Well, technically no. They were screwing it in wrong.

On a related note, I wonder how many engineers does it take to change light bulb?

Oh oh.

[MouseTheLuckyDog]

Now I will need a candle at night to read, because somebody might --you know tinker with my lights-- and force me to turn them off.

Re:Oh oh.

Until a drone flies by and blows your candle out.

Re:Litigation

[hyades1]

What's scary is that sooner or later, the hackers are going to start believing that going to a company with their findings is "all downside". The next step, of course, would be to sell their efforts to the highest bidder. And that, in turn, would probably lead to methods of anonymous transfer of wealth that might give average people access to some of the same tools as those routinely used by top banks, corporations and multi-billionaires.

It would be an interesting world.

Re:Trust the major players, not bargains.

[the_Bionic_lemming]

Subtle.

Philips, bright.... ... _ _ _ ...

What's the role of the drone?

[wvmarle]

Both TFS and TFA are really light on technical details - can anyone shed some light on where the drone comes in play? And also the vulnerability itself - a default password or something more obscure?

Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

Re:What's the role of the drone?

[cdrudge]

Another question would be of course why would those lights even have the ability to install new software in the first place. Is it really that hard to do software right, that no updates are needed for something as simple as a lamp?

Well, based on the fact that we're here talking about it, yeah, I'd say that there may circumstances where an update is needed because a flaw was found. Or would you rather just toss the bulb and go buy another updated one for $50?

Re:What's the role of the drone?

[wvmarle]

I'd rather have the manufacturer do a decent job in building their software, so that updates aren't necessary. If they think the update option should be there, there should also be a factory reset option to recover from any problems with that.

Re:What's the role of the drone?

[locopuyo]

They article didn't give any details, but it sounds they hacked the hub the lights connect to, not the lights themselves. They probably had to be on the same wifi network, hence the drone. So if the wifi network was secure this couldn't have happened, but the hub must have some sort of default password or way to take control if you simply have wifi access which isn't good security.

Re:What's the role of the drone?

[aug24]

They sent new firmware to the bulb over the ZigBee network, using the symmetric key baked into every bulb (which they first had to obtain) to sign it. Obtaining the key is hard-ish, but they didn't say how they did it.

obat sinusi

[MiaIlhamiaty]

Thanks For share. Today I learned a lot from your website,, If you have a problem we come with a recommendation for us, please visit my website Obat Sinusitis

Sudden revelation

[fph+il+quozientatore]

Oooh, now I understand what happened in Stranger Things.

Oh Noes!

[Anne+Thwacks]

It wasn't long ago that claiming "Trump is president!" would have gotten you locked up for your own protection

FTFY

Re:Oh Noes!

[ebvwfbw]

I remember when Reagan being President was laughed at. He's just an actor they said.
More recently I remember when they said Obama was a joke. He couldn't even get into the 2000 DNC convention. Besides, he's black! He doesn't stand a chance. I remember saying - watch this guy, I bet he's going to nail it and here we are.

So here we go again.