Philips Hue – R.E. Whitepaper from Black Hat 2016

At Black Hat 2016 I presented on some reverse engineering of the Philips Hue (also see my other post about getting root on it, which was part of that presentation).

If you were at the talk, you would have also seen mention that you’ll want to keep your eyes out for future publications by Eyal Ronen. You can see his website for more research related to the Hue as well, and follow him on twitter @eyalr0. He’s been doing some work in parallel that I think will do more than just R.E. the bulbs (as I did), and actually bring some of my `possible’ attacks to become real proof-of-concepts.

Summary of the work (to make it clear):

  • I did NOT make a worm. The title was a question someone asked me, and the talk is about the security of the Hue.
  • The mention of a possible ‘Long Range Take Over’ was new/unreleased research by Eyal Ronen – do not credit me with that. It’s part of a larger research publication that will get released at some point.
  • Philips did a rather good job (all things considered). The only trade-off I really call out is reuse of encryption keys across all FW updates for all devices, which is basically what makes a theoretical worm possible.
  • Rooting the Hue (earlier post) is a local attack and very nice for hardware hackers. There are unique root passwords which is a great security step, so far I haven’t found flaws in the Hue Bridge 2.0 besides that.
  • There’s a lot of “interesting vectors” which the talk goes over. Given enough time some of them may give, but it’s a question of who is motivated enough to spend a lot of time on them.

You can get the full slides here too:

Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’) Slides [PDF, 8MB]

Here’s a copy of the very large whitepaper I wrote too:

Philips Hue Reverse Engineering (BH Talk ‘A Lightbulb Worm?’) Whitepaper [PDF, 5MB]

This whitepaper is a bit of a ‘data dump’ and ~48 pages of random stuff. But useful if you are interested in pushing this further!

4 thoughts on “Philips Hue – R.E. Whitepaper from Black Hat 2016”

  1. Colin, great stuff. I watched some of your YouTube videos too. I’m interested in the Hue lighting system.
    WRT reverse engineering. I note that Philips don’t have an in line unit , the way say lightwaverf have. This would be handy for bringing in non Hue fittings into a scene. For example a 5 led lamp centre light or a cct of led fittings in a room.
    Have you any thoughts on making one.
    There would be issues hacking a standard lamp like in your video. You’d have to hack all the LEDs in the centre light so that they bypassed the 220Vac(Ireland) and presented the hacked lamp with just the LV LED load. This might need to be amplified, the traffo and ccts in the lamp might be too small to drive say 50 Watts of led light .
    I’m sure there is a more direct route to building one

    Have you any thoughts on this? Purely out of interest? Regards great paper and videos. Thank you, you saved me some hammering and bridged some intellectual gaps.

    1. I think you’d be no-go… all the lights I’ve looked at from Hue (I’ve only looked at individual bulbs though & not the fixtures) use actual LED driver chips which forms a AC-DC converter. It’s not anything you could easily upgrade as there’s a small transformer in that loop + the driver chip.

      But any ZLL stuff should be compatible, easiest way is to check the ZLL website that lists all ZLL compatible products. I don’t know if there is something specifically that would work but looks to be some stand-alone inline units!

      1. Thank you. I thought as much looking at lamp you took apart. You’d have to isolate the lighting cct cabling and modify each lamp in it to run as part of a kind of single array.
        And as discussed the traffo wouldn’t handle it either. You’ve issues in too many areas, getting in and out!
        I’ll look at the site. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *