back to article Philips' smart lights left in the dark by dumb security

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP. According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability …


This topic is closed for new posts.
  1. Yet Another Anonymous coward Silver badge

    Is MD53

    48 times as safe as MD5?

    1. Sorry that handle is already taken. Silver badge

      Re: Is MD53

      That would be MD240, shurely?

      1. Mips

        Re: Is MD53

        Alternatively 3.55 exp33.

        Philips are soooo smart.

  2. Don Jefe

    Post Analysis

    The Internet has been in the hands of the public long enough that stuff like this is inexcusable. It has been proven countless times that someone is absolutely guaranteed to screw with your product if it is connected. The days of assuming that the Internet is full of 'dumb users* is long over and product development teams must start to think about how total nutcases and assholes will abuse their products.

    *The users are still, by and large, dumb, but enough of them have sufficient tech knowledge to absolutely ruin your product.

    1. Yet Another Anonymous coward Silver badge

      Re: Post Analysis

      On the other hand a light bulb that requires biometric login , 2 factor authentication and a 8digit RSA-ID that changes every 30seconds is also rather useless

      1. Allan George Dyer Silver badge

        Re: Post Analysis

        Sure, but Phillips chose security-through-obscurity. They could have chosen a random number at authorisation time to use as a shared secret. I bet the developers had a discussion...

        "So what happens if the user has a disc failure or installs a new OS?"

        "Well, they'll have to reauthorize"

        "No good, too inconvenient"

        "Well, the MAC address will usually stay the same"

        "Too obvious"

        "We could hash it"


        "with MD53"

        "with What? Yeah, sure NO-ONE will guess that"

  3. Frank Zuiderduin

    Why are you to dumb to spell the name properly in the title?

    1. Anonymous Coward
      Anonymous Coward

      "Why are you to dumb to spell the name properly in the title?"

      Oops. Or should that be "Durr ..." ?

    2. Anonymous Coward
      Anonymous Coward

      Why are you to dumb to spell the name properly in the title?

      Welcome to Dosche's Law. It states that in the process of correcting someone else's posting, they, too, will screw up their own posting.

      1. Sorry that handle is already taken. Silver badge

        Dosche's Law?

        The term you're looking for is "Muphry's Law".

        1. Darth_RayDar

          Re: Dosche's Law?

          That would be "Morphy's Law".

          1. Sorry that handle is already taken. Silver badge
        2. heyrick Silver badge

          Re: Dosche's Law?

          "The term you're looking for is "Muphry's Law".“

          Maybe he meant "Douche's Law"?

          1. Anonymous Coward
            Anonymous Coward

            Re: Dosche's Law?

            Maybe he meant "Douche's Law"?

            That would depend on how well you know the Ward Dosche in question ;)

        3. Anonymous Coward
          Anonymous Coward

          Re: Dosche's Law?

          No. Dosche's Law as coined by Ward Dosche, currently Zone 2 coordinator of Fidonet. He coined this "law" at least 20 years ago when confronted by numerous others trying to play spelling-Nazi on his posts ;)

  4. Anonymous Coward
    Anonymous Coward

    Overprice carp

    Only suckers and shrills raves about this grossly overprice junk; the poor security is hardly surprising.

    It is quite fitting that it is sold in Apple (sucker) stores.

    1. Steve 13

      Re: Overprice carp


      Do you mean shills?

      Nobody was raving about it anyway...

  5. Anonymous Coward
    Anonymous Coward

    Last I heard

    Philips were trying to make this communication method the new standard for office lighting control.

    I wonder what happened at the last planning meeting?

  6. John Tserkezis

    "Honey, the lights don't work again"

    No problem, ask the guy parked outside our house downloading porn to turn them back on again.

  7. frank ly

    Getting the entire story

    It would be interesting to talk with the actual designers/developers for this product and ask them what their initial ideas were, what time and budget pressures they were working under and what management/marketing interference they were subjected to. However, I'm sure that Phillips would fight tooth and nail to prevent that and would quietly threaten dismissal to anyone who spoke to the press.

    Would any ACs like to give information?

    1. Brewster's Angle Grinder Silver badge

      Re: Getting the entire story

      I'm going to save your first sentence, Frank, and post it into every security story. It's probably closer to the truth than most of the teenage rants.

      But, equally, I've been the most clued up developer on a project, working under sympathetic management. (Managers are quite responsive to "Think of the PR disaster if this worst case scenario happens.") And then, five years down the line, I've discovered what I wrote was cack.

      Given what Philips are doing, you would hope they used security experts rather than gave it to some smart-seeming graduates who said, "We can handle that." The evidence is less compelling.

  8. Neil Barnes Silver badge

    Call me old fashioned, but...


    Power supply.




    Death to the Internet of Things!

    1. Pascal Monett Silver badge

      Allow me to add :

      Double shotgun barrel to the face of any prick who wants to plug my fridge into the Web.

      1. John 110

        Fine as long...

        Fine as long as your Connected shotgun hasn't been hacked...

    2. Z-Eden

      Re: Call me old fashioned, but...

      I third the call to bring "Death to Internet of Things!"

      Also, it'd be more insidious if timers are put in the script so the lights randomly flash throughout the night starting at around 1am. User won't know there's a problem until he's woken up... Bonus points for making it flash out in Morse Code "Wake up sucker!"

  9. Paul B

    I don't think lightbulb security is really an issue. Who is going to use these? People who go on holiday or are otherwise out and about is about the only really useful use case, and who will give a shit if their lights go on and off randomly when they are not in?

    Still mildly interesting to see how it works though, but I think MAC address as a use of security is fine. I don't think these will be used in public places. If these lights go on and off randomly (if I had the money to waste on them) I'd throw them in the bin, and think no more of it.

    1. Jonathan Richards 1 Silver badge

      I think you are mistaken ...

      ... in that this isn't an issue which affects the light bulbs per se, the video seems to indicate that it's the automation hub device that is compromised. If you sigh, chuck out the smart bulbs and buy replacements, they'll still be under the thrall of the malware. The only way to make your lightswitches work again is to take the hub device offline, as in the video.

      I agree with you that this is one of those 'do it because we can' solutions in search of a problem, and I am not going to be exposed any time soon (I upvoted "Death to the Internet of Things!"), but it's interesting that in 2013 flawed implementations like this find their way all the way to the marketplace.

    2. Steve 13
      Thumb Down

      I think you've entirely missed the point (what the PR department says is the point) of these bulbs.

      If you just want to look like your home when you're on holiday, use a timer plug and a lamp.

      1. Alex Rose

        I think you're a bit confused...

        If you want to look like your home then you'd need a costume to make you look like a house/flat etc.

  10. Karl Itschen

    Not such a big deal

    It's really not such a big deal.

    - It's really easy to fix. They could MD5 any other value from the iPhone instead of the MAC. Or even a random value. Expect it in the next app update.

    - Commercial applications (hospitals, offices) will not use the consumer Hue bridge, but a commercial grade gateway, which will have a different API/access control. The only critical part is the ZigBee over-the-air security.

    - The attacker must first have access to the LAN which requires to exploit a vulnerability in the host PC. Makes the whole thing much less probable.

  11. Gene Cash Silver badge

    My 3M wi-fi thermostat doesn't do ANY authentication at all.

    You send a http request and it does it. It sits firmly behind my firewall, but I still worry about someone getting through the wi-fi security itself. Fortunately my neighbors are not so technical.

    Heck, it doesn't even seem to enforce minimum time-outs for switching between heating and cooling. You can flip back and forth until the compressor dies.

    1. Androgynous Cupboard Silver badge

      Re: My 3M wi-fi thermostat doesn't do ANY authentication at all.

      Given the bulb has to be on the wireless network, I kind of wondered why they bothered?

      Instead of half-arsed security that was always going to be broken and which certainly took them non-zero effort to create, why not just take out the security altogether and add a warning to "secure your network properly". Passes the buck neatly passed to the homeowner, it's less expensive for Philips, and it would have saved them a bad headline.

  12. ForthIsNotDead


    ...nobody appears to have commented on the fact that an internet connected light bulb is a totally shit idea, as useless as the internet connected fridge.

    Why FFS do I want an internet connected light bulb?


    1. Roo

      Re: Er...

      "Why FFS do I want an internet connected light bulb?"

      I'm not going to bother convincing you that you need an internet connected light bulb, because I don't want one either... That said I can see a benefit in that you don't have to run power cable cable everywhere just to connect the bulbs to the switches on the wall. Could be handy if it's difficult/expensive/dangerous to run a power cable where you want the switch.

      I guess it could also be handy if you don't want light switches cluttering up your walls, but personally I'm comfortable enough with switches and running 250VAC @ 5A around the place. :)

      1. Dan Paul

        Re: Er...Not power cabling but SIGNAL cabling

        The Phillips lights are wirelessly controlled on Zigbee, Enocean or some other comm protocol versus being wired to some controller. The bridge connects to the internet (of things) . This allows the automation of lighting without having hard wired control signals. If you have ever tried to retrofit hardwired control signals for these applications you will soon see the economy of wireless control.

        The power cabling is already in place.

        What they really need is to put this control into the lighting fixture, not the lightbulb. Then it has an economy of scale. New LED and some fluorescent ballasts now offer 0-10 VDC inputs so lights can be dimmed or turned on and off with hardwired control. There are more commercial product coming out that integrate the wireless into the switch or the lighting socket which make more sense than putting it into the bulb like Phillips.

    2. Robert Helpmann??

      Re: Er...

      Why FFS do I want an internet connected light bulb?

      I can only guess why you might, but I can guess at a couple of reasons why including lighting in an automation scheme might be beneficial. In fact, instead of discussing lighting as a single issue, perhaps it would be better to look at why automating appliances might be worthwhile. First, differentiate between home and office use. Much of what goes into home automation is a combination of the cool factor and pure ostentation. Yes, there are plenty of truly worthwhile things to be done with home automation. What these are is likely to be defined as a function of taste more than anything else, I suspect. Setting it up so your lighting flashes to music or dims during a certain period probably has some use somewhere for someone. On the corporate side of the world, there is pressure for efficiencies which may be tracked and controlled through the use of automation. Image is also important.

      I would expect the trend to be automate everything and control it all through a common interface. That interface will almost certainly be available remotely... which leads us back to light bulbs on the internet.

  13. Haku

    "even your fridge will have its own IP address..."

    I recall more than one tech news article in the past proclaiming just that.

    Well if the manufacturers of these new fangled networked appliances can't even secure a simple lightbulb properly then we're all screwed, I don't want to come home and find my frigde got hacked and ordered 1000 gallons of milk from a home delivery supermarket.

    1. Yet Another Anonymous coward Silver badge

      Re: "even your fridge will have its own IP address..."

      Sometimes think a webcam inside the fridge would be useful

      I can check if I have any milk from work and even if it did get hacked I don't really care if millions of people on the interwebietubes are watching my gradually decaying celery

      And it would answer the great philosophical question - does the light really go off when you close the door?

      1. Rukario

        Re: "even your fridge will have its own IP address..."

        Gradually decaying celery? Not with the ideal fridge. (Mandatory XKCD reference.)

  14. MatsSvensson

    At least we wont have to worry about skynet.

    Since we will be the one that creates it, don't count on it being able to do shit without falling on its ass and accidentally reformatting itself after two nanoseconds.

  15. Richard Pennington 1

    Remind me ....

    How many engineers does it take to secure a lightbulb?

  16. Anonymous Coward
    Anonymous Coward

    Frankly I'm surprised it had any security at all

    A lot of CE products don't. And in a way, that might be better - rather than trying to do security correctly in tons of connected devices, have it behind to a device (a wireless router in the home, whatever gateway is managing all such devices in a commercial environment) that handles security for it.

    If you rely on its security, what happens if it is cracked? (security, not the glass) Do we really want to live in a world where we have to do firmware updates on our light bulbs? If you say "it can download them automatically", what happens if the support life of your light bulb is a lot shorter than its bulb life? Are you left only buying from major vendors, because you worry a small firm might go out of business and the site the bulbs access for firmware updates goes away?

    1. Richard 12 Silver badge

      Re: Frankly I'm surprised it had any security at all

      In this case it's that gateway that was cracked.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022