Patch Your Philips Hue Lightbulbs To Stop Them From Getting Hacked -- And Potentially Everything Else On Your Network (fortune.com) 183
An anonymous reader shares a report: Four years ago, security researchers showed how a flying drone could hack an entire room full of Philips Hue smart light bulbs from outside a building, by setting off a virus-like chain reaction that jumped from bulb to bulb. Today, we're learning that vulnerability never got fully fixed -- and now, researchers have figured out a way to exploit that very same issue to potentially infiltrate your home or corporate network, unless you install a patch. That's the word from cybersecurity research firm Check Point Software, and the good news is you should already be safe from the worst part of the hack. If the Philips Hue Hub that controls your bulbs is connected to the internet, it should have automatically updated itself to version 1935144040 by now, which contains the patch you want. (Check Point informed Philips in November, and a patch was issued mid-January.)
Patch. Your. Lightbulbs. (Score:5, Insightful)
I give up.
Re:Patch. Your. Lightbulbs. (Score:5, Insightful)
Year 2020: Flying cars? No. Needing to make sure your firmware is up-to-date on your lightbulbs. Yes.
Re:Patch. Your. Lightbulbs. (Score:5, Funny)
Year 2020: Flying cars? No. Needing to make sure your firmware is up-to-date on your lightbulbs. Yes.
This is progress. Back in the day when my personal computer loudly whirling and buzzing on my desk was segfaulting while booting from a floppy drive I never dreamed that one day a light bulb will be able to do this remotely.
Re: Patch. Your. Lightbulbs. (Score:2)
Back in the day when my personal computer loudly whirling
Legacy PC's in heavy steel chassis with tiny heatsinks and whimpy powersupply fans were virtually silent, other than those floppy reads and writes.
Re: (Score:2)
Re: (Score:2)
The modems! Don't forget the modem sounds!
Re: (Score:2)
Re: (Score:2)
EeeeEeee EeeeEeee EeeeEeee EeeeEeee EeeeEeee EEEE EEEE EEEE EEEE EEEE WOOOSHHHHHHHH ZUHBUHZZZZZZZZ IIIIIIII BUZZZZZZZ whooooshhhhhh sssssHHHHHHHHHHH!
Your ideas are intriguing to me and I wish to subscribe to your newsletter.
Re: (Score:2)
And don't forget the early DSL connections that were "dialup" rather than "always on" that played the same sounds through the PC speaker while connecting because it was supposedly "comforting" (to some class of user that we avoid further describing further).
Re: (Score:2)
The modems! Don't forget the modem sounds!
ahh, yes, the anguished cry of a lonely MODEM, who could forget ...
that frying-bacon sound.... (Score:2)
Turns off the speaker. First thing you do on any modem. Thereafter you only hear the clicks as the line is picked up and dropped. You're welcome.
Spoken like a true greybeard firing up the modem at 2AM to download porn. Wouldn't want to wake the wife up.
But you need that frying-bacon sound and whirr-beep to diagnose why the connection fails!
Re: (Score:2)
ATM0.
Turns off the speaker. First thing you do on any modem. Thereafter you only hear the clicks as the line is picked up and dropped. You're welcome.
Spoken like a true greybeard firing up the modem at 2AM to download porn. Wouldn't want to wake the wife up.
LOL... At 300 baud, it took basically all night to download one GIF. When JPEGs and 1200 baud modems appeared, I was in heaven.
Re: (Score:2)
Re: Patch. Your. Lightbulbs. (Score:2)
My 1.7GB Fujitsu HDD from the mid 90s disagrees. And I'm not talking about seek noise. The motor was LOUD
Re: (Score:2)
"My 1.7GB Fujitsu HDD from the mid 90s disagrees. And I'm not talking about seek noise. The motor was LOUD"
You young whippersnappers, if you ever heard a Full Height 20 MEGAbyte harddisk doing dBASE REINDEX, then you would know what 'loud' means.
Re: (Score:2)
That is nothing. I remember compsurf'ing two chains of CDC Wren IV (600 MB) drives simultaneously (14 drives) all sitting on the hardwood floor. Now THAT was a noise, and it carried on for about 28 hours. Of course, each drive needed its own 200 Watt Power Supply because things were a little power hungry those days...
Re: (Score:2)
I think it was an 80g drive on the Pr1me minicomputer I used to deal with.
The thing was beneath the OS's required RAM memory (3/8 rather than half a meg), and you could here it a couple of rooms away when I simply asked for a directory listing. . . on actually compiling it "paged its brains out" . . .
hawk
Re: (Score:2)
Re: (Score:2)
That one had a stepper motor for the head positioning. Those (and modern drives all of which use stepper motors of various sorts) go clackity-clack when positioning the head. Earlier drives used voice-coil head positioners that were quite musical and went eeeep eeeep when positioning the heads.
Re: Patch. Your. Lightbulbs. (Score:2)
then don't forget mandatory speaker beeps. I don't know what machines you worked on
Virtually everything x86 and I'll state again: other than their floppy drives, standard PC's from the late 80's to the mid-90's were a lot quieter than the windtunnels that came later.
Re: (Score:2)
The IBM PC and PC/XT certainly were not quiet. The power supply noise alone was quite loud compared to my current computer which isn't quiet by any means. The hard drives were quite loud back then too. Just the whine of the platters was quite annoying back in the early 90s, especially on a computer that had run for several years. I guess the bearings wore out. As others mentioned, the stepper motors in early hard drives were loud also. I remember being told that when I needed to reboot the PC, hit the bi
Re: (Score:2)
Mmmmm, I gotta disagree.
My PC XT (and later the AT) sounded like jumbo jets spinning up. They were anything but quiet. Even the floppy drives could be heard in the next room. The HD sounded like shaking a dice cup with all the clickety-clackety noises. The only time we worried was when we didn't hear noises.
Re: (Score:3)
Considering how people drive, I don't really want flying cars.....
Re: (Score:2)
Re: Patch. Your. Lightbulbs. (Score:2)
Hue bulbs are zigbee, only the hub connects to the network. Sure, zigbee is technically a network by virtue of it being a mesh, but it's not layer 3, so it can't route over the public internet without a lot of help.
Re: (Score:3)
Re:Patch. Your. Lightbulbs. (Score:5, Funny)
What do you mean you don't want to do all of this for a freaking light bulb?!
Re:Patch. Your. Lightbulbs. (Score:5, Interesting)
It's not a problem at all. FTA:
Check Point Research discovered the flaw, which would allow cybercriminals to gain entry from over 100 meters away using only a laptop and an antenna.
So if you're using philips hue bulbs in your home, and cybercriminals are out to get you, and they know where you live, and they know you have the bulbs, and they craft a specific hack, get a van and an antenna, and then go park on your street they could get onto your home network.
I'm sure that this happens all of the damn time. Right up there with elephant attacks in major US cities and sharknadoes.
Seriously, just because something is theoretically possible doesn't make it remotely likely to ever be abused. Glad they're patching this, but I honestly have 0 concerns about people leaving it unpatched. The resources and knowledge needed to deploy this hack just aren't going to be used against the consumers who bought these bulbs. The cost-benefit doesn't work out. And I doubt that the Pentagon or NSA are using hue bulbs....
Re: (Score:2)
Where does the ethernet cable plug in? ;)
Perhaps the fact that they are Children's Band only should provide a clue as to their anticipated security profile.
Re: (Score:2)
It sounds more like a joke from Futurama....
Re:Patch. Your. Lightbulbs. (Score:5, Interesting)
Absolutely worth it.
I live far enough north that winters are dark and bleak. I've got the hue bulbs set up to mimic a sunrise in the morning and a sunset in the evening. Same time, year round. The only difference is that I really need to adjust what time the lights first come on in the evening, from anywhere like 3pm in the depths of winter to like 7pm at the peak of summer.
My wife and I really used to struggle with getting up in the dark winter mornings, because we'd go from pitch black to bright white. That sucks. Now there's a faux pre-dawn deep purple glow that brightens to a red-orange sunrise, an hour later which shifts to a yellow-white daylight, and an hour after that a blue-white mid-morning sort of color. Without an alarm I wake up somewhere in that progression, usually right about at the "sunrise" part. That makes dark cold winter mornings massively more pleasant than a shrieking alarm and blinding white lights ever could.
Likewise, having a consistent sunset in the evening helps trigger us to go to bed. By about 10pm we've gone through a sunset in the house and are headed towards that dark purple that's soon going to fade into a black sky. When it's getting darker and darker in your house, your natural circadian rhythm kicks in and you want to go to bed.
Lots of people have issues sleeping because they fight this as hard as possible in the evenings. The darker it gets, the more lights they turn on. We do the opposite, and when the last lights are kicking off, we're headed to bed. Getting too dark to read? It's bedtime.
While I could sort-of approximate this with a bunch of timers and dimmers, I wouldn't be able to get the more natural color progression which I find is the most helpful in nailing a circadian rhythm down. We evolved out under the stars, with sunrises and sunsets, not white lights.
What price do you put on consistently good sleep?
Re: (Score:2)
That actually sounds really nice, I am tempted to get one and try it now.
But it needs to be secure, which means isolating it on a separate wifi network with no internet access. Suddenly the infrastructure cost went up.
Are Philips the best?
Re: (Score:2)
Yep. Ikea ones are okay as well. But don't touch the Osram stuff, they are crap.
One caveat, though. You can mix zigbee devices from different manufacturers on one hub, but that doesn't work that well and you can only update their firmware with their native hub, so it is better to stick with one manufacturer.
Re: (Score:2)
The IKEA ones don't seem to change colour though, only dim. I looked at the Philips ones on Amazon and they are pretty expensive, but I guess it's worth it if it improves you sleep.
It looks like I need to do some research. At least the Philips ones are well reverse engineered so you are stuck with their ecosystem.
Re: (Score:3)
Ikea has some that are only dimmable (the cheapest), some that are white but with selectable colour temperature (more expensive) and some that are RGB (most expensive). All of them are quite a bit cheaper than Philips, at least here in Germany.
Re: (Score:2)
I have both Hue and Osram stuff that I control from a Wink 2 hub and have been happy with both. Hardware wise the latest gen Hue bulbs probably have better overall color reproduction than Osram bulbs with certain colors (the 1st gen Hue ones sucked at certain colors as well). But, Osram light strips are far more consumer friendly coming in easily joinable 2' segments as well as a full assortment of connectors and are so much cheaper it is not even comparable. So, I have my living room full of Hue lights
Re: (Score:2)
What price do you put on consistently good sleep?
I guess it's worth whatever is left in my bank account after some guy driving by my house empties it.
Re: (Score:2)
> While I could sort-of approximate this with a bunch of timers and dimmers
> Sounds like the functionality could be approximated for the next few hundred years with a date&time and lat+longitude the user enters into the unconnected device that isn't dependent on phoning home.
? It needs to phone home to get the time, instead of using its built in clock? The Hue bridge doesn't need any external connectivity at all to function. I have the system and that's one of the reasons I bought that system i
Re: (Score:2)
Definitely worth for me. It is very nice to voice-control the lights and power sockets, changing the light temperature on a whim, using the ceiling lamp as a wake-up light and so on.
Re: (Score:3)
Yes. I bought a few to play with. They're nice. I've got a couple in the living room and a couple more in the bedroom, all programmed to be bright white in the morning and tungsten warm in the evening.
"Vulnerability" involves someone flying an xbee-carrying drone outside your window and hacking your network. Or it did, before it was automatically patched. If someone wants to go to those lengths to more directly spy on my encrypted traffic... okay.
Re: (Score:2)
I stand in amazement also. Genuinely curious, for those who have these sorts of bulbs, is the added value worth the cost (plus vulnerability)?
It really depends on whether you like having control over the color of your light bulbs-- if not, there's no point. However, I don't think the Philips Hue bulbs are the best ones out there. LIFX bulbs are supposed to be brighter (1100 lumens vs 800, which is more useful as a reading light), with a better color range. There are a lot of newer brands out there too.
Re: (Score:2)
>I don't think the Philips Hue bulbs are the best ones out there. LIFX bulbs are supposed to be brighter (1100 lumens vs 800, which is more useful as a reading light), with a better color range
Disclaimer: I have the Hue system.
The LIFX bulbs for me lose simply based on the fact that they are wifi bulbs that call a cloud mothership for instructions constantly. The killer-app of the Hue system for me is that the local bridge controls the devices, even if your house's internet is out. The day whoever run
Re: (Score:2)
I own 4.
I use 1.
The one I use is set to 1% red, its on 24X7 in the bath room. Makes a good nightlight.
3 are just expensive light bulbs.
The "Bridge" has its Ethernet cable unplugged.
$150 for a red nightlight, no I wouldn't do it again, but it seemed...cool?
Re: (Score:2)
Genuinely curious, for those who have these sorts of bulbs, is the added value worth the cost (plus vulnerability)?
Yes. "Hey Siri, goodnight" is a huge convenience over walking throughout the house turning off switches and fixtures. Turning on/off the backyard lights from out in the yard, turning on the various lights by voice when I come home with my arms full of groceries, it's a huge advantage. And as I said in another response, the color-changing isn't just a gimmick. I can set my living room to be dark colors for TV watching, a mix for reading, and bright white for projects or housecleaning. Being able to do that w
Re: (Score:2)
I have them. They are expensive, but also very useful. I can control the lights throughout my place with a voice command, a tap of a button on a zigbee switch (which the Philips ones are removable from their plates - held on by magnets - so you can take them places if you need) or use an app on a phone or tablet to control as well. They can also run time based routines, set different color schemes based on mood, images and a ton of other things. It's fun to light up the room in your local team's colors
Re: (Score:2)
Heroin has the same effect and is probably less expensive.
Re:Patch. Your. Lightbulbs. (Score:5, Interesting)
I get it if you're happy with a light attached to an old fashioned switch. But you can do so much more with smart bulbs, and it's easy (for me at least) to see why folk want them. The ability to change color to set a mood, the ability to turn on interior lights when you unlock your front door, having lights come on 30 minutes before sunset and turn off shortly after sunrise, and so on.
Of course if something is networked, there are bound to be patches. It's part of the territory.
What I'm less sure about is the summary. It says you need to patch your bulbs, but implies the hub will update itself if it's connected to the internet. So it looks like the only thing needed is to have an internet connected hub and have your bulbs turned on. That's as it should be.
Now, where I'm concerned is with third party bulbs. What if you're using an Ikea bulb on a Hue hub? Is it vulnerable? If so, will it be updated?
Re: (Score:3)
"I get it if you're happy with a light attached to an old fashioned switch. But you can do so much more with smart bulbs, and it's easy (for me at least) to see why folk want them. The ability to change color to set a mood, the ability to turn on interior lights when you unlock your front door, having lights come on 30 minutes before sunset and turn off shortly after sunrise, and so on."
That's strange, this was being done with dumb bulbs 30+ years ago. If you wanted to get very fancy-shmancy, you co
Re: (Score:2)
But before it required running additional wires to each bulb - not very practical for most people and much more expensive. The simple way is just to use a wireless protocol
Re: (Score:2)
That's funny, I don't remember being able to control the color of a light 30 years ago. Or control the color and brightness of an LED from a simple toggle wall switch. Or being able to see how much wattage a light was using without installing extra hardware. Or be able to tell the light to fade out or in over a set period of time.
Re: (Score:2)
I don't see the point of being able to make my lights purple or green. Maybe if you are a big fan of the original Star Trek or something.
But colour temperature, now that's useful. For some reason you can't buy them here but in Japan they are almost standard now for living rooms. 5000k for daylight for doing work, 3000k incandescent simulation for the evening. Usually set via a remote control although of course wifi/app is available now.
Re: (Score:2)
RGB zigbee lamps can be synchronised to music. Not useful per se, but the lightshow might be fun for some people.
Re: (Score:2)
I don't see the point of being able to make my lights purple or green. Maybe if you are a big fan of the original Star Trek or something
In my living room it's dark colors for watching TV, a mix if sitting around reading, and bright white for projects or housecleaning. My lights often progress through all three in the course of evening.
Re: (Score:2)
"I get it if you're happy not smoking meth. But you can do so much more when you smoke meth."
Just because people want something doesn't mean they should have it.
Re: (Score:2)
There's still no reason these things should be wireless, you can actually establish an ethernet connection through the electrical wiring of a house.
Re: (Score:2)
which takes us to 1950s technology!
(OK, it could have been done decades earlier, but I haven't seen references. Mine may be to The Boy Mechanic, but I'm not sure . . .)
One of the books I had as a child, left over from my father's childhood, had a project to build a house intercom which used the AC wiring and vacuum tubes . . .
the extremely small number of bits needed to control lightbulb would take far less bandwidth than speech . . .
hawk
thanks Philips, ruined a perfectly good joke (Score:5, Funny)
A: None. That's a software problem.
Re: (Score:2)
Nah - the joke just changed. "How many X does it take to patch a lightbulb?"
Re: (Score:2)
I hope you've succeeded in inventing a new genre of lightbulb jokes, but... Kids these days are probably wondering why it is theoretically possible to change a lightbulb.
Having said that, I once did have to replace an LED lightbulb. I feel special, even though I think it was the humidity that killed it.
Which is why.... (Score:4, Interesting)
Which is why I put all the IoT devices on isolated networks.
I have three Wireless networks: One for my computing devices (phones, tablets, laptops), One for my video streaming devices (Ruko, Apple TV etc) and one for all the IoT devices like my thermostats, lights, cameras and such. I run a firewall between these segments so I can access my IoT devices from my phone or tablet, but the IoT devices can only get to the internet.
I know it's a pain, but I run professional network equipment at home, not that consumer router garbage, so it's actually pretty easy to isolate off those IoT devices and protect the rest of my network from exploits like this. So you may be able to get into my IoT network, but you are not going to see anything if you try and pivot from that network. I run intrusion detection on all my segments too, so I'm likely to be able to shut down stuff like this when I get the E-mail..
Re: (Score:2)
Something tells me there could be a market for "consumer router garbage" to have built-in settings (wizards, really) to allow such network environments.
Re: (Score:2)
Consumer devices generally share one problem, they are all in one devices. You get a router, firewall, AP, switching and a couple of other things all in one box. Where this works and is cheaper, it's a security risk because you have all your eggs in one basket. If there is some exploit that gets a hacker into your router, they own your firewall, switching and Access Point too.
Personally, I prefer separate devices. I have a "router/firewall" device, three switches and one Access Point which are all separa
Re: (Score:2)
Oh, I'm totally with you. There is reduced risk in separation. However, I'm also a follower of the maxims "Better is better" and "Don't let perfect be the enemy of good."
Re: (Score:2)
As much fun as it is to bash on Apple, they did announce "Homekit" routers, which isolate those devices automagically. It's a good idea, it's being implemented but it would be nice to see more universal solutions available.
Re: (Score:2)
and how do you "isolate" your wireless networks? How does this apply to Philips Hue networks?
Hue lights aren't on an IP network and don't interact with your "professional network equipment" or "consumer router garbage".
Re: (Score:2)
Not exactly true. The Hue lights communicate though a bridge which IS on an IP network. THAT device IoT device is what I isolate.
If you want to hack into the ZigBee network used by the Hue lights, you are not going to have much luck doing anything but switching lights on and off. Have fun, but due to the range of ZigBee network signals, I'm likely to catch you trespassing (Which in Texas isn't a good idea.)
Re: (Score:2)
Just remember,
Pull the body fully inside the house...
Re: (Score:2)
I know it's a pain, but I run professional network equipment at home, not that consumer router garbage, so it's actually pretty easy to isolate off those IoT devices and protect the rest of my network from exploits like this.
Except typical firewalls cannot proxy mDNS/zeroconf/Bonjour between networks, so a lot of stuff needs to stay on the same L2 network.
You can play with transparent firewalling, but for me that's just too much pain.
Re: (Score:2)
Why do I want mDNS/zeroconf/Bonjour between networks? The whole point of separate networks is separation, not togetherness.
And yes, you CAN proxy multicast and broadcast traffic between networks if you want. Though that defeats the whole purpose of isolated L2 networks in the first place. If you want that crap poxied across L2 networks, then why do you have separate L2 networks?
Re:Which is why.... (Score:5, Funny)
This system is so secure you have to physically break into the house to access them. And I save money as they don't use any vampire electricity when in the off state.
Re: (Score:2)
Re: (Score:2)
Ah yes. And hopefully they are trained properly to let anyone in and even help them pile everything they want to steal by the door. But if they try to leave without then the intruder should be put up on the fridge and kept there.
Re: (Score:3)
You have the skills to do that, but that makes you unusual. If you need to be an IT professional to set up your light bulbs so they don't get hacked, something is very wrong. Consumer products need to be secure when used by ordinary consumers on ordinary consumer networks. If they aren't, then they're fatally flawed.
Re: (Score:2)
Come on, it's not hard to shove IoT devices into a DMZ network if you understand the concepts... Except that consumer level stuff is brain dead simple and needs to "just work" there is little reason they don't come out of the box configured to do this kind of thing.
The lightbulb is out (Score:5, Insightful)
Re: (Score:2)
I think if we're to the point that we have to patch lightbulbs, we really need to take a step back and reassess if we really need these things connected.
I've reconsidered and even with the need to patch them, I still want these devices. Of course I put them on their own isolated network with other IoT devices for safety, but hey, that's just the network admin part of me that just naturally isolates off dangerous stuff...
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Some of us assessed this years ago.
Anything reliant on someone else's server or an "app" should be considered a short lived gadget at best. I have lightbulbs that are pushing a dozen years old, which is far longer than the half-life of any software-as-a-service. I also pay zero monthly subscriptions on them, same with my fridge, washing machine, speakers, and so forth.
Any non-standalone appliance is a liability and should be avoided like the plague. I assume that any "connected" functionality will be dea
We have gone full on stupid here (Score:5, Insightful)
"Patch your light bulbs"
10 years ago, this would have gotten you branded a loony toon. %[
Re: (Score:2)
IoT security flaws have been a thing for longer than 10 years.
Really stretching here (Score:3)
Re: (Score:2)
Are you saying you should only patch your hardware if you have a basement greenhouse or is smart lighting just a new concept to you? Because if it's the first, then you're wrong, all of them should be updated (just a couple taps in the app) and if it's the second, maybe a site about technology isn't the right place for you if you can't imagine people liking convenient new technologies
Re: (Score:2)
Re: (Score:2)
As far as I can tell the only difference is whether the smarts are on an external box or on the bulb. While I can certainly see how the external box approach would be cheaper over the life of multiple bulbs, that's not enough to make it "beyond stupid" in my mind. I suspect, therefore, that you see some other qualitative difference between the cases. Can you explain?
Re:Really stretching here (Score:4)
In the event that you find yourself in the inconvenient situation of being out and wanting to adjust your home lighting, I would suggest reconsidering your life choices and perhaps a trip to a mental health professional as a better remedy to the inconvenience you are experiencing.
Welcome to the IoST (Score:3)
The Internet of Stupid Things.
Re: (Score:2)
Who at Phillips is going to jail for this? (Score:2)
Re: (Score:2)
Not even Phillis thinks these things are secure. They disavow any liability for damages due to software problems, have almost no warranty, and do not come with liability insurance. They should be treated as the manufacturer intends, like a children's novelty item (ie, a toy) and not a serious product.
Sure. (Score:2)
I will do that as soon as I'm willing to pay $50 for a lightbulb.
This is the sort of pricing the Phoebus cartel would have had wet dreams about.
sigh (Score:2)
This sort of thing makes lightbulb jokes immediately unfunny.
Where's the real informative posts? (Score:5, Insightful)
Re: (Score:2)
This is good to know. Thanks!
Re:Where's the real informative posts? (Score:4, Insightful)
There's good reasons to use these devices, and good reasons not to. It all comes down to personal preferences.
Re: (Score:3)
People tend to s
O Brave New World (Score:2)
O Brave New World, that has such wonders in it.
I honestly never foresaw the day when we would need to "patch our lightbulbs" to keep my bank account safe.
I'm still not sure that this isn't an early April Fool's Day joke, but then again, it's Philips ("Yesterday's Technology Tomorrow!").
Okay, now that's some innovative shit! (Score:2)
Seriously- they can make a lightbulb so advanced that it needs to be patched. That's some forward-thinking shit right there.
I'm in awe.