RSS

Make It Blink: Over-the-Air Exploitation of the Philips Hue Bridge

pieterr1 pts0 comments

Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge

Security incident? Suspected breach?<br>09 71 18 27 69csirt@synacktiv.com

Skip to main content

Search

Switch Language

EnglishToggle Dropdown<br>English<br>French

RSS<br>Github<br>Twitter<br>Linkedin

Our offerPenetration Test / Red Team<br>Incident response<br>Reverse-engineering<br>Development<br>Products<br>CSIRT

Trainings<br>Join us<br>PublicationsPosts<br>Advisories<br>Resources

The company<br>Contact

RSS<br>Github<br>Twitter<br>Linkedin

Make it Blink: Over-the-Air Exploitation of the Philips Hue Bridge

Written by<br>Mehdi Talbi, Matthieu Breuil - 06/05/2026 - in

Exploit

- Download

The year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug , Home Assistant Green , and the Philips Hue Bridge . The attack scenario defined by the ZDI involved an adversary with access to services listening on the local network, or launching an attack via a proximity network (Wi-Fi, Bluetooth, Zigbee). This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network.

Looking to improve your skills? Discover our trainings sessions! Learn more.

Philips Hue Bridge

Overview

The Philips Hue Bridge comes in two versions: a standard version (white casing) and a Pro version (black casing), the latter of which was recently released in 2025. For the Pwn2Own competition, only the standard version was included in the target list.

The Philips Hue Bridge allows users to control lighting and create various ambiances via the Hue mobile app. Communication between the bridge and the bulbs is handled over a Zigbee network . New devices can be paired by either launching a scan from the app or by using the central button on the casing. A discovery process then follows to collect information about the detected devices and integrate them into the network.

Getting a shell

The first step was to get a shell on the device. Fortunately, several blog posts detail how to achieve this. The process requires shorting a specific pin during the boot sequence; from there, it is possible to reset the keys and enable the SSH service.

Architecture

The Philips Hue Bridge is based on a MIPS architecture running Linux. All core functionalities are consolidated into a single, large binary (> 9 MB) named ipbridge, which contains approximately 40,000 functions. Multiple instances of this binary are executed to manage various services, such as Apple HomeKit, Matter, and others.

Attack surface

The attack surface comprises both services accessible via the local network and proximity interfaces, such as Bluetooth and Zigbee. Several services are listening, including hk_hap, which runs on TCP port 8080. This service handles the interaction between the Philips Hue Bridge and Apple HomeKit . During Pwn2Own, all competing teams exploited vulnerabilities in this service, most commonly through an authentication bypass followed by memory corruption .

Other services, such as Matter (a standardized smart home protocol designed for cross-vendor interoperability), mDNS, and UPnP, are also accessible but were not explored in this research. To avoid potential bug collisions during the competition, we chose to focus on the RF surface instead. The article Don’t be silly – it’s only a lightbulb by Check Point Research highlights several vulnerabilities in Zigbee frame processing and serves as an excellent starting point for getting familiar with this specific attack surface.

Zigbee

Zigbee stack

The following section first provides a brief overview of the Zigbee stack. At the top of the stack, we distinguish two protocols: ZDP (Zigbee Device Profile) and ZCL (Zigbee Cluster Library). The former is used for network management and node discovery, while the latter defines standard actions like turning on a light or reading a sensor value.

Two encryption keys are used within the Zigbee network. The first is called the Link Key , and its default value is "ZigBeeAlliance09". It is used to protect the exchange of the second key, the Network Key , which is distributed during the pairing phase. This second key is then used to encrypt the data on the Zigbee network. Consequently, an attacker eavesdropping on the network during the pairing phase could potentially capture this key

It should be noted that the Zigbee 3.0 specification enhances security: now, every device supporting the new standard features a unique secret called an install code, from which a key is derived to secure the distribution of the Network Key .

Zigbee frame processing

Zigbee frames are first intercepted by the Atmel controller, which converts them from a binary to a textual format before transmitting them to the ipbridge binary via a serial device exposed on /dev/ttyZigbee.

The data is then processed in a thread named smartlink, which is responsible for identifying and executing the appropriate handler.

Messages transmitted...

zigbee network bridge philips first attack

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.