Industry News

Security Flaw in Philips Lighting System Lets Hackers Keep You in the Dark

A misfortunate implementation of the security token in the Hue intelligent lighting system from Phillips could allow an attacker to control the lights in your home and turn them on or off as they wish.

According to a paper by security researcher Nitesh Dhanjani, the problem arises from the fact that mobile devices or PCs used to control the lighting system are authorized with a token (a unique identifier) derived from the device’s MAC address.

“The secret whitelist token was not random but the MD5 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine),” wrote Dhanjani in his research paper.

Of course, to control the lights inside the house, the attacker needs access to the Wi-Fi router on the premises and to know the MAC address of the device used to control the Hue system. However, if all these prerequisites are met, the attacker gets full and almost irrevocable access to the Hue bridge – the device that bridges the Internet with the bulbs.

“It is important that Philips and other consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people’s homes be secure from vulnerabilities like these that can cause physical consequences,” the researcher concluded.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
  • Oh no, after a long hacking session someone might turn on or off the lightbulbs in one of a few homes! Quick, everybody, run for your lives!

    On the serious side, maybe companies will take security more seriously in future (perhaps more dangerous) products now that this defect has become public.

    • It took me a while to decide whether or not to report on this, because yeah, that was my initial thought too: what harm can disco-lights do to a household? But on a second thought, imagine elderly people who may have these installed in their home by children or grandchildren – it would cause panic and discomfort.

      And it’s not only bulbs that are vulnerable to this kind of threat – most IoT devices (including TV sets and set-top-boxes are in the same situation. There’s no excuse for lack of security.

  • Dear mister Botezatu, I can assure you that Phillips does NOT produce “lightning” systems. Tesla probably holds the patent for those.