Zigbee Alliance confirms its technology remains secure after Philips Hue flaw
The vulnerability made it possible for hackers to break into a smart home system via Hue light bulbs.
The Zigbee Alliance has confirmed to GearBrain that its smart home technology was unaffected by a vulnerability discovered in the security of Philips Hue smart light bulbs.
"This vulnerability was not due to a deficiency in the Zigbee specification; there is no update needed in the Zigbee specification," said the Zigbee Alliance in an email to GearBrain. "The Zigbee Alliance constantly evaluates issues involving security threats, works alongside members and adjusts accordingly, and continues to innovate and lead to achieve good global connections."
Cybersecurity researchers first discovered a flaw in how Philips Hue light bulbs communicate using the Zigbee wireless networking protocol, reporting their findings in early February.
The glitch made it possible for a potential hacker to interfere with a bulb, prompting the owner to reset it in a bid to fix the problem. However, resetting it would let the hacker gain further access to the system, first infecting the Hue bridge with malware, then spreading to the rest of the target's home network.
Discovered by Check Point, a provider of cyber security software to governments and businesses, the vulnerability was fixed through a patch from Signify, owners of Philips Hue, before the flaw was made public. It at first appeared to be an issue with the Zigbee protocol itself, but now the Zigbee Alliance says this is not the case.
Having gathered up key executives from partners of the Zigbee Alliance, the organization was able to confirm that the vulnerability was not with the wireless technology itself, but with how the Philips Hue system works.
"In this particular case, Signify deployed a patch for Philips Hue devices before the vulnerability was disclosed," Zigbee told GearBrain. "According to Signify, there is very limited risk to users, but they should always make sure products are updated to the latest software version."
Many brands use Zigbee in the way they connect, including Yale, which also told GearBrain that their devices were not affected by this specific vulnerability.
"Recently, the security company Check Point discovered a Zigbee vulnerability that affected Philips Hue light bulbs," said the company in a statement sent to GearBrain. "While we use Zigbee technology in some of our locks, this particular vulnerability is specific to Hue and will not translate to Yale locks as we have image verification that prevents firmware hijacking, and we are not directly integrated with the Hue hub. We are committed to safeguarding our customers' security and privacy as a top priority for Yale and ASSA ABLOY."
If anyone is still concerned about their Philips Hue system, they should head into the Hue smartphone app and check the firmware for their Hue Bridge is version 1935144040 or newer. That patch was released on January 13, so should now have been automatically installed for most users.
-Additional reporting from Lauren Barack