Flaw in the Philips Hue left home networks open to cybercriminals, research finds

A flaw in one of the most popular brands of smart light bulbs allowed hackers to potentially access home networks of users.

According to a recent report from cyber security researchers at Check Point, a previously identified bug that allowed to infiltrate Philips Hue smart bulbs using a drone that hovers outside of a building has yet to be fully fixed.

This time, using a similar glitch than the one reporter in 2017, researchers say they were able to access the bulbs and also their corresponding ‘control bridge’ which leads to a users’ home network.

The researchers say a flaw discovered in 2017 can be exploited to gain control over a user’s home network where a hacker could offload malware

Though the process is fairly involved, researchers say their work shows how seemingly mundane IoT devices can expose more crucial aspects of someone’s home network and beyond.

‘Many of us are aware that IoT devices can pose a security risk, but this research shows how even the most mundane, seemingly ‘dumb’ devices such as light bulbs can be exploited by hackers and used to take over networks, or plant malware,” said Yaniv Balmas, Head of Cyber Research, Check Point Research.  

To infiltrate the network, researchers first exploited a bug that remained active from previous research that allowed hackers to control aspects of a Philip’s smart bulb like brightness.

Once they gained control of the bulb or bulbs, they used access to lower and raise its brightness in an attempt to trick the user into thinking there was a glitch with the device and resetting the product by deleting it from an app and attempting to re-discover it. 

Once the compromised bulb is re-discovered, it is able to offload malware to the users’ ‘control bridge’ – a central hub from which one’s home network is also linked.

Fortunately, Check Point, which notified the company of the flaw in November, said Philips has issued a patch for its products that should have been automatically downloaded. 

IoT devices have been the subject of scrutiny from security skeptics who point out that they can often compromise more crucial aspects of one’s life

Despite the fix, they say revelations about potential vulnerabilities should raise concerns on which devices we allow to have access to our home networks.

‘It’s critical that organizations and individuals protect themselves against these possible attacks by updating their devices with the latest patches and separating them from other machines on their networks, to limit the possible spread of malware,’ write the researchers.

‘In today’s complex fifth-generation attack landscape, we cannot afford to overlook the security of anything that is connected to our networks.’