Philips Hue, a web-enabled, 50-watt equivalent LED bulb that I described as being a “spendy, smart, and super-chromatic showstopper,” is one versatile little light bulb.

A quick refresher from my original post on what's been dubbed by the marketing folks over at Philips Lighting as “the world’s smartest web-enabled LED home lighting system:"

 … an upgradable and future-proof network of Hue bulbs can transform your home into a veritable discotheque (or the set of a Dario Argento movie) if you aren’t feelin’ that boring old white light or want to let potential intruders that you're really home while traveling. And in addition to allowing for vibrant, customized colors (apparently more than 16 million colors are possible including an “incandescent white”) and remotely turning the bulbs on and off via smartphone or tablet, the Hue system is capable of a whole lot more.

But as security researcher Nitesh Dhanjjani recently discovered, the not-so-impenetrable MAC address-based authentication system tied to the Hue network is also vulnerable to malicious hacking, namely localized blackouts in which the bulbs can be simultaneously — and remotely — switched off for a sustained period. This is fantastic news for deviant pranksters looking to indulge in some spooky “American Horror Story”-style shenanigans on their worst enemies but obviously troubling from a security standpoint.

ExtremeTech elaborates on these blackout attacks:

Using a malware script, Nitesh Dhanjani hacked into a Hue installation and issued a blackout command through the bridge (the Hue’s router) turning the connected lights out entirely. This is essentially the connected home equivalent of a hacker taking over your car, except that Dhanjani actually did it and documented the entire process [See video below].
The attack itself doesn’t seem too interesting — theoretically, the hacker gets a bit of malware onto the victim’s computer which tells the Hue bulbs connected to a bridge on the same network to turn off. The bulbs are still powered but they are not producing light, which is the standard off-state for Hue. This shouldn’t be that bad because the Hue bulbs are designed to revert to the on state after they lose power for any period — say, a wall switch is flipped — but in this case the malware script runs continuously, so the bulbs are commanded to turn off immediately after they are powered up.
Writing to Engadget, a Philips lighting spokesperson reassures Hue users that such a rare attack would be limited to lighting only and a home's entire network system including any all-important personal information stored on said network system would not be compromised:
In developing Hue we have used industry standard encryption and authentication techniques to ensure that unauthorized persons cannot gain access to lighting systems. An attack of the nature described requires that a computer on your private local network is compromised to send commands internally. This means there is very limited security risk if your home network is properly protected, as traffic passing between your devices and across the internet will remain fully secure. However, if an attack is made upon your home network, everything contained within that network can be compromised. Therefore our main advice to customers is that they take steps to ensure they are secured from malicious attacks at a network level, in order to protect all of their devices, including Hue.
Good to know but still a touch unnerving as Dhanjani explains in his white paper titled "Hacking Lightbulbs: Security Evaluation of the Philips hue Personal Wireless Lighting System:" "... an abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences."

Any concerns from Hue users out there?

Via [ExtremeTech], [Engadget]

Related stories on MNN:

The opinions expressed by MNN Bloggers and those providing comments are theirs alone, and do not reflect the opinions of While we have reviewed their content to make sure it complies with our Terms and Conditions, MNN is not responsible for the accuracy of any of their information.