Hackers could leave Hue users in the dark, says researcher

Weaknesses in the wireless system used to control the Philips Hue lamp could leave users open to cyber attack, according to a computer security expert.

Researcher Nitesh Dhanjani said vulnerabilities in the Hue wireless controller’s authentication system could make it possible for malware on the computer network to control the lights – but Philips says the risk is ‘very limited’.

Dhanjani wrote in a blog post: ‘Lighting is critical to physical security. Smart light bulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences.’

Wander Bruijel, head of brand, communications and digital at Philips, told Lux Review: ‘In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorised persons cannot gain access to lighting systems. An attack of the nature described in the reports requires that a computer on your private local network is compromised to send commands internally. This means there is very limited security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure.

‘However, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our main advice to customers is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue.’

The research shows how the so-called Internet of Things – everyday objects and devices that connect to the internet – creates new risks. Having lighting, door locks, thermostats and a whole host of other things connected to the internet could make them vulnerable to the same kinds of hacker attacks that have plagued computers for years.

Philips recommends that users contact their internet service provider for information on how best to protect their network.

The company has been in touch with Dhanjani and his research has been passed on to the security team working on Hue.

Bruijel said: ‘We’ve always been keen to maintain a dialogue with our growing ecosystem of third party Hue developers, testers and researchers and welcome comments and insights as this community continues to explore the product and our APIs. We have worked closely with agencies containing white hats [good hackers] and security experts to conduct penetration testing of the Hue system, and will continue to do so.’