Wednesday, August 14, 2013

What do you get when you spend $100 on a lightbulb?

A couple months ago I posted on the $100 Philips Hue light bulb which is so exclusive that it's only sold to fanboys through the Apple Store.  So what do you get for your money?  A light bulb that can be trivially hacked to leave you in the dark:
The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.

...

And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user's Facebook activity for a service call “If This Then That” (IFTTT).

If the lights' colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off.
Security wasn't an after thought, it wasn't thought of at all.  Here's a video of the hack in action:



I'd call the Philips team a bunch of idiots, but that would be insulting to actual idiots.

6 comments:

Dave H said...

What do you get when you spend $100 on a lightbulb?

Screwed?

KurtP said...

Sorry, but I just can't find it in my conservative heart to feel sorry for some YUPPY who needs to spend $100 for a light bulb...because of the name.



BWAhahahahahahaha

Borepatch said...

Dave, LOL.

Kurt, word.

Unknown said...

"... the $100 Philips Hue light bulb which is so exclusive that it's only sold to fanboys through the Apple Store"

Ahem.

Philips 431650 Hue Personal Wireless Lighting, Single Bulb, Frustration Free

Philips 431643 Hue Personal Wireless Lighting, Starter Pack, Frustration Free

You can even get Prime shipping on both.

Unknown said...

Also, it seems kind of odd that a product sold only to fanboys in the Apple Store would have an official Android app.

Jake (formerly Riposte3) said...

On a note related to your "Security wasn't an after thought, it wasn't thought of at all" meme, it looks like Google's Chromecast is security free too - not even a simple PIN - but this time it's by deliberate design. They're assuming that users will have their wifi successfully secured, and that no one will want to use it in a commercial or shared network.