In June 2017 we already took a close look at the Philips Hue lighting system. Over the past few years, a lot has changed in the portfolio and the app – reason enough to take a second look at the system. Is the lighting system, now renamed to Signify, still recommendable? You can find out in the following test report.
Signify N.V., formerly Philips Lighting, has various national subsidiaries in addition to its Dutch headquarters. In 2016, the parent company Philips had outsourced the division to an independent company, and in 2018 the company was renamed to its current name. However, most products remain marketed under the Philips (Hue) brand.
Once the Hue Bridge is connected to the network via Ethernet cable and plugged into the power supply, the app can be paired with it. To do this, the button on the Hue Bridge must be pressed shortly to confirm.
According to rumors, the current version of the Hue Bridge (2.1) should also have WiFi. This has been confirmed in the meantime and can be activated via detours. We refer to this only for the sake of completeness, as this is not intended by Signify and warranty becomes void in this case.
Unfortunately, the overview of apps and services connected to the Bridge, which we requested in the last test, has still not been implemented. Although the user list is no longer sent over the network in plain text, it is still not possible to check who also has access to the lighting system. This would be important, especially because pairing works very easily.
The first time the app is opened, it searches for network devices with port 80 open and queries each one via HTTP.
If a Hue Bridge is found, the system switches directly to TLS1.2 encrypted communication.
This was not the case in our last test. At that time, an unencrypted API was used, which is still available, but is not used by the app. However, it remains available to other smart home systems for (local) control.
In order to control the lighting while on the road, remote control must be activated via Hue app. For this purpose, an account under meethue.com must be created and linked to the Bridge.
When opening the Hue app, https://discovery.meethue.com is called, which displays the ID and internal IP address of all Hue Bridges known by public IP. If the ID matches the registered bridge, the app will try to connect to it locally. If this fails, requests are routed through the cloud.
The communication between app and cloud was always TLS1.2 encrypted, partially even TLS1.3. The connection between Hue Bridge and Cloud is also largely TLS1.2 encrypted. Diagnostic data is sent over unencrypted channels, but the packet content is separately AES-encrypted, as we explained in the last test.
The Philips Hue app was analyzed both statically and dynamically. In addition to a database with the data of the paired Hue Bridge and the API key required for control, the app data mainly contains the data and configuration of the integrated trackers (see privacy).
Both local and remote connections to the Hue Bridge via api.meethue.com are secured by certificate pinning and thus effectively protected against man-in-the-middle attacks.
The obfuscation of the source code of the Android app makes analysis by attackers more difficult. However, it must be noted that this is no guarantee for security. (“Security by Obscurity”)
In contrast to the communication between app and cloud or cloud and Hue Bridge, the firmware update process does not seem to have changed. The firmware updates are still transmitted via HTTP.
The firmware seems to be encrypted and signed, but the unencrypted transmission of the firmware nevertheless brings unnecessary risks.
In February 2020, Check Point published information about vulnerabilities in the lights and the Hue Bridge itself, which, with patience, would give the attacker access to the network. The vulnerabilities were reported to Signify in late 2019, and a new, patched firmware was available in January.
In recent years, the Philips Hue system has been well maintained, security gaps have been closed and general security has been improved. In terms of privacy, Signify preserves the right to extensively collect data, which we believe goes far beyond what is necessary. Other manufacturers such as Dyson, Vorwerk or Apple, which also tend to be in the high-price segment, often refrain from using the data for advertising purposes, but rather ensure that the user is largely anonymous. Certainly, at first glance no far-reaching conclusions can be drawn from the use of a lighting system, but a longer-term data recording does provide a good insight into the lifestyle of the individual. Together with the firmware update downloaded via an unencrypted connection, we award a rating of 2 stars.