Zigbee Security vulnerability that affected Hue Smart bulbs has been patched
1 Like
Ha great minds!!! I just posted an article from TheVerge. Maybe the moderators can combine the two threads..
Sounds more like a Hue vulnerability rather than a Zigbee vulnerability. I don't have "Smart" bulbs. I have standard bulbs but control them with Zigbee switches or dimmers. Besides, HE does not do OTA updates so this is not an exploit to which the HE would be vulnerable.
I don't think that will help. The coordinator doesn't have to be the OTA server. I have a Conbee II joined to my Hubitat's network and have updated Ikea and Osram products. The thing is it is very clunky most devices automatically assign the coordinator as the OTA server when they join the network, I have to disable the Zigbee radio on Hubitat then power cycle the device. Usually the device then takes the Conbee as the OTA server and you can load new firmware if the device will take it. You can turn back on the Hubitat's radio while the update happens.
That being said I haven't read the details on the exploit. But you can run a different OTA server on the hubitat's network and update firmware.
Okay. I won't be using any Zigbee light bulbs anyway, Hue or any other brand. I think I am safe.
My (limited) understanding of this attack is:
The Zigbee device is compromised first. Then if the user deletes and re-pairs the compromised Zigbee device with the hub, the hub can possibly become compromised as well.
I assume Phillips fixed this by hardening their hub. Has anyone heard if the Hubitat hub might also be vulnerable to this attack?
From what Iām reading this can apply to any zigbee device that can get a firmware update through a hub (so Iām thinking specific brand hubs)
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
