Root on the Philips Hue IoT Bridge

Building on the work of others (as is always the case!) [pepe2k] managed to get root access on the Philips Hue Bridge v2 IoT light controller. There’s nothing unusual here, really. Connect to the device over serial, interrupt the boot process, boot up open firmware, dump the existing firmware, and work the hacker magic from there.

Of course, the details are the real story. Philips had set U-Boot to boot the firmware from flash in zero seconds, not allowing [pepe2k] much time to interrupt it. So he desoldered the flash, giving him all the time in the world, and allowing him to change the boot delay. Resoldering the flash and loading up his own system let him dump the firmware.

The “hacker magic” glossed over in the intro consisted of poking around until he found a script that was called on every boot. This is how [pepe2k] gets around not knowing the root password. The script compares the hash of the typed password with an environment variable, set with the hash of the correct password. Changing that environment variable to the hash of his favorite password (“root”) made him master of the box.

And just in case you’re one of the few Hackaday readers who doesn’t understand why we do these things, besides the fact that it’s just fun, consider Philips’ (eventually retracted) clampdown on the interoperability of this very device, or Google’s red bricks. The fatal flaw of IoT devices is that they place you at the whims of companies who may decide that they’re not making enough money any more, and shut them down. Keep your hacking skills sharp.

Thanks [Jan] for the great tip!

9 thoughts on “Root on the Philips Hue IoT Bridge

  1. As a hue user, I feel slightly comforted that you need some physical access to make this happen.

    That being said, I wonder what new and lovely attack vectors we’ll learn about now that we’re under the hood ;-)

    1. The physical access is the thing. This is absolutely a you-own-the-box-that-you-own hack, and not a remote exploit. It’s a good deed. As a Hue user, you should be stoked! Now you can play. :)

      Your second point is unfortunately also right on. Botnets of lightbulbs. Shudder.

    2. I don’t know if any GPL violations will be found but some credit goes to Philips for at least making it easy to get a broad overview of used open source as the only web page the hue hub displays to the user.

      This is what the current firmware shows:

      Welcome to hue – your personal wireless lighting system. For more information please see our website http://www.meethue.com

      Open Source

      hue statically links towards unmodified open source software libraries in the bridge software. For instance, we make use of a real time operating system called FreeRTOS which is distributed under a modified GPL license and an open source IP stack called lwip distributed under a BSD license. Links towards all license terms and sources are available below.

      FreeRTOS v7.4.2

      Website: http://www.freertos.org
      License: freertos_license.txt

      lwIP v1.4.1

      Website: http://savannah.nongnu.org/projects/lwip/
      License: lwip_license.txt

      SHA-1

      Website: http://www.packetizer.com/security/sha1/
      License: sha_license.txt

      OpenSSL AES Encryption

      Website: https://www.openssl.org/docs/apps/enc.html
      License: aesenc_license.txt

      JSON_checker

      Website: http://www.json.org/JSON_checker/
      License: jsonchecker_license.txt

      UTF-8 Decoder

      Website: http://bjoern.hoehrmann.de/utf-8/decoder/dfa
      License: utf8decoder_license.txt

  2. Did something similar but easier with the nanoleaf smarter hub. Soldered the UART header, and exposed a shell with busybox nc and mkfifo. Haven’t carried about cracking it’s MD5 hashed root pwd yet.

  3. The fact that Hue doesn’t provide an open interface for hacking/access to the device is the main reason I have not (and will not until they do) purchased any Hue devices.

    Although these hacks are a good deed in service of those who have purchased such products, I believe that we should start discouraging people from buying products encumbered this way in the first place.

    There are lots of IoT products out there these days that I would like to have, but I’m at a point where I am avoiding purchases of most products that don’t provide at least a local API for me to interact with the device directly. I encourage others to reject this idea that you have to purchase a device which you don’t actually own from a software perspective. Let’s face it, you don’t actually own it if you can’t pwn it.

    1. While it’s not well documented, the hue does have a REST API I’ve been using for years that works just fine locally on my Lan. A little cron and PHP shuts off my lights every morning at 10a if I forget to turn them off before hustling out the door for work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s