Updated to add comment from Belkin.
Attention Philips Hue device owners: You need to update the Philips Hue Bridge's software, because hackers could exploit Philips Hue smart light bulbs to get into your home network via the bridge.
This flaw, which has not been completely disclosed, was discovered by Israeli firm Check Point and exploits fundamental flaws in the ZigBee low-power, short-range wireless protocol used by many smart-home devices.
Exploiting the vulnerability "enables a threat actor to gain entry and spread malware into a home or office's computer network via a connected home device," Check Point said in a press release.
Here's a fun video showing just such an attack.
How to head off the Hue hack
ZigBee is also used by Amazon Echo, Belkin WeMo and Samsung SmartThings devices, among others. But until we get more details about the flaw, we won't know whether those brands are vulnerable to attack.
"We patched [the flaw] in January before the details of the findings were disclosed publicly," a spokeswoman for Signify, makers of Philips Hue devices, told Tom's Guide. "The researchers, with whom we cooperated via our responsible disclosure process, merely demonstrated the possibility of an attack. They did not disclose information necessary for someone else to do so."
[A Belkin representative gave us this statement after this story was first published: "We take security with utmost priority and we can confirm that Wemo uses ZigBee HA Profile, which is not vulnerable to the commissioning attack mentioned in the article. However, as a reminder for best security practices, users should always keep firmware updated on all connected devices."]
To update your Philips Hue bridge, go into the Philips Hue mobile app, open Settings and click Software update. The app will reach out to find software updates online and install them on the Philips Hue bridge.
You can also set the mobile app to download and install updates automatically. You'll want to make sure you upgrade to firmware version 1935144040 if you've got one of the newer square bridges, and firmware version 01043064 if you've got one of the older round bridges.
'ZigBee chain reaction'
Check Point's discovery builds upon earlier work by Israeli academic researchers Eyal Ronen, Achi-Or Weingarten and Adi Shamir, plus Canadian researcher Colin O'Flynn. (Shamir is one of the developers of the RSA two-key encryption system that's widely used today to protect internet communications.)
In 2016, this team figured out how to use ZigBee-enabled smart light bulbs to create an Internet of Things worm, a form of malware that can move from one device to another on its own. We'll let the introduction to their academic paper (opens in new tab), subtly entitled "IoT Goes Nuclear: Creating a ZigBee Chain Reaction (opens in new tab)," speak for itself.
"We describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass," the paper states.
"We developed and verified such an infection using the popular Philips Hue smart lamps as a platform," it adds. "The worm spreads by jumping directly from one lamp to its neighbors."
Smart bulbs aren't yet that widespread, but imagining that they were, the academics describe a rather dramatic scenario.
"The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDoS attack."
Tick tick tick...
Sadly for internet scaremongers and Hollywood screenwriters, Philips Hue subsequently fixed the flaw that let the worm spread among smart bulbs.
But, according to Check Point, "due to design limitations, the vendor was only able to fix the propagation vulnerability, thus attackers could still take over a target's Hue lightbulb."
That gave the Check Point team entry into the ZigBee network — and from there to the Philips Hue bridge. The bridge connects the low-power ZigBee network to high-power Wi-Fi and Bluetooth networks, and the Check Point researchers were able to exploit the undisclosed flaw to move out into the greater home Wi-Fi network.
Again, we don't know if this flaw can be exploited on other manufacturers' smart-home products. But a Check Point spokesman told us that "we believe it is probable that other products will have a similar vulnerability in their implementation as well."