How much security would you expect in a $60 light globe?

Would you buy light globes from the Apple Store?

Would you spend a cool $60 each, or $200 for a pack of three?

That’s the price that enthusiastic early adopters are paying for the Philips Hue Connected Bulb.

The Hue is a light globe that’s different in more than just its price.

It can controlled wirelessly, and contains three LEDs that can be individually tweaked (and even animated) to produce a wide range of different colours, although it doesn’t seem to be terribly good at blue and green.

The wireless part uses a lightweight protocol called ZigBee Light Link, which means that a full-on internet software stack and Wi-Fi adpapter isn’t needed in every lamp.

Instead, there’s a single network-facing device, about the size of a toffee tin, that talks to the ZigBee-enabled globes, known as the Hue Bridge.

(The curious pricing above, where three $60 globes cost $200, reflects the fact that you get a Bridge in every three-pack. One Bridge can control up to 50 lamps. Assuming you have $3000 to splash on light globes, that is.)

You connect the Bridge to your network – and, despite the prestigious pricing, you have to plug it in with a network cable, because it doesn’t have a Wi-Fi adapter either – and then you control the Bridge from a computer.

Groovily, Philips has published a programming interface so you can roll your own Hue control software for any sort of device.

Nevertheless, as you can imagine for a third-party product that can only be purchased from an Apple store, the control platform of choice is an iPhone or iPad.

There’s an Android app in the Play Store, too, but some of the reviews suggest it’s a rather poor cousin of the iDevice version.

I’m sure you’ve guessed what’s coming next.

That’s right: the Hue Bridge isn’t terribly secure, as the technology press has been pointing out for the past few days, thanks to a report by a security researcher called Nitesh Dhanjani.

Indeed, judging from headlines like El Reg’s pejorative “Philips’ smart lights left in the dark by dumb security” to Gizmodo’s ultra-capitalised “Philips Hue Light Bulbs Are Highly Hackable,” things don’t sound too good for the Eindhoven Engineers.

Here’s why.

The application programming interface (API) uses HTTP, so you make web requests to the Bridge, and it converts these into the appropriate Zigbee commands to pass on to the lights.

The URLs you use to issue commands have to include a username that is pre-authorised by the Bridge.

Here’s an HTTP request to turn off Light One:

  PUT /api/username/lights/1/state

  { "on": false }

Er, that’s it.

There’s no HTTPS, and not even any HTTP digest authentication, to protect the commands from eavesdropping or replay.

Once you know any of the usernames that the Bridge will accept, you can use it to create URIs and issue any supported command, such as turning lights on and off, or flashing out the message URPWN3D in Morse code.

Actually instructing the Bridge to start trusting a new user in the first place is a little less free-for-all.

You have to press the button on the Bridge less than 30 seconds before issuing an add user command, a step the Philips documentation says “prove[s] that the user has physical access to the Bridge.”

But it doesn’t really “prove” anything, of course – it just means someone pressed the button in the last 30 seconds.

A miscreant on your network – a shameless visitor, for example – could run a script to create a new user every 29 seconds, and if anyone were to press the Bridge button at any time during their visit, they’d have a username they could use indefinitely.

According to Dhanjani, however, even that sort of effort is over the top if you use Hue’s official app.

That’s because the official app generates its username by taking the MD5 hash of your iDevice’s network MAC address.

As you probably know, MAC addresses are pretty much a matter of public record, at least if you have ever tried to associate to a Wi-Fi access point (encrypted or not), because the MAC address is broadcast as a unique device identifier when you try to connect.

Ironically, this means that if you use Wi-Fi at home, and rely on shortcuts like MAC address filtering so you don’t need to bother with encryption, anyone who connects unlawfully to your network by “borrowing” your MAC address will also get implicit authorisation to do wild things to your Hue lighting.

That’s probably not what you want.

Richard Chirgwin of The Register dubbed this “dumb-as-a-sack-of-hammers security,” and Dhanjani himself fitted out his paper with the attention-grabbing section header “Malware Can Cause Perpetual Blackout.”

I’ll be a little more conciliatory, and say merely that this is “underwhelming,” not least because randomly-generated usernames by the Hue app and HTTPS for the API would have been easy enough to build into the system from the start.

→ The argument that the memory and processor demands of HTTPS are a bit of a budget-stretcher for tiny embedded devices with low-powered CPUs, such as the Hue Bridge, holds no water. Lightweight, BSD-licensed TLS implementations such as axTLS compile down to a few tens of kilobytes, and were designed for precisely this sort of application.

By the way, to learn why MAC addresses are a poor basis for access control, you might like to take a look at this video we made earlier this year, Three Wireless Security Myths – Busted!.

I’ll leave you with a pertinent comment from Dhanjani’s paper on Hue security, pointing out how important it is that:

...consumer IoT organizations take issues like these seriously. In the age of malware and powerful botnets, it is vital that people's homes be secure from vulnerabilities like these that can cause physical consequences.

In case you’re wondering, IoT is short for Internet of Things, a networking vision in which the internet is populated by fridges, TVs and, indeed, each light in your home.

The light globes in your Hue Starter Pack might not yet have their own IP numbers (the Bridge is their internet proxy), but by golly, they’re close.