This scenario is high risk, because all the attacker needs to do is go through usernames
(when they are in the form of email addresses) and passwords that have been compromised
and posted publicly and test the credentials on the hue site. In this way, attackers can easily
harvest hue accounts and gain the ability to change the state of people’s lightbulbs remotely.
Related threats include the potential compromise of the hue website infrastructure, or the
abuse of the system by a disgruntled employee. Either of these situations can put enormous
power in the hands of a potential attacker. Philips has not publicly stated its internal gover-
nance process or the steps it may have taken to detect possible attacks on its infrastructure.
There is no indication from Philips on how it protects the stored passwords in its databases,
or whether they are accessible to employees in the clear.
Controlling Lights Using the iOS App
Users can also control hue lights locally or remotely using an iPhone or iPad with the hue app
available on the App Store.
When the hue app is first launched, it tests to see if it has authorization to send com-
mands to the hue bridge on the local network:
GET /api/[username DELETED] HTTP/1.1
Host: 10.0.1.2
Proxy-Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-us
Connection: keep-alive
Pragma: no-cache
User-Agent: hue/1.1.1 CFNetwork/609.1.4 Darwin/13.0.0The username token is selected by the hue app. This is the response from the bridge:HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 1 Aug 2011 09:00:00 GMT
Connection: close
Access-Control-Max-Age: 0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Content-Type
Content-type: application/json
[{"error":{"type":1,"address":"/","description":"unauthorized user"}}]Since this is the first time the iOS device is attempting to connect to the bridge, the device
is not authorized. In this situation, the user needs to prove physical ownership by pressing the
CHAPTER 1: LIGHTS OUT—HACKING WIRELESS LIGHTBULBS TO CAUSE SUSTAINED(^16) BLACKOUTS