Controlling Lights via the Website Interface
A good way to uncover security vulnerabilities is to understand the underlying technology
architecture, and use-case analysis is one of the best ways to do so. The most basic use case of
the hue system is to register for an online hue account through the website interface and link
the bridge to the account. Once this is accomplished, the user can use her account to control
the lights from a remote location. In this section, we will take a look at how the system lets the
user associate the bridge with her account and control the lights from the website. Once we’ve
shown how the use case is implemented in design, we will discuss associated security issues
and how they can be exploited.
First, every user must register for a free account at the hue portal, shown in Figure 1-2.
The user is required to pick a name, enter an email address, and create a (six-character-
minimum) password.
FIGURE 1-2. hue website account registration
In the second step, the website attempts to locate the bridge and associate it with the
account the user just created. As shown in Figure 1-3, the website then displays the message
“We found your bridge.”
CHAPTER 1: LIGHTS OUT—HACKING WIRELESS LIGHTBULBS TO CAUSE SUSTAINED(^4) BLACKOUTS