In June 2017 we already took a close look at the Philips Hue lighting system. Over the past few years, a lot has changed in the portfolio and the app – reason enough to take a second look at the system. Is the lighting system, now renamed to Signify, still recommendable? You can find out in the following test report.

Signify N.V., formerly Philips Lighting, has various national subsidiaries in addition to its Dutch headquarters. In 2016, the parent company Philips had outsourced the division to an independent company, and in 2018 the company was renamed to its current name. However, most products remain marketed under the Philips (Hue) brand.

Setup

Once the Hue Bridge is connected to the network via Ethernet cable and plugged into the power supply, the app can be paired with it. To do this, the button on the Hue Bridge must be pressed shortly to confirm.

Pairing of app and Hue Bridge

According to rumors, the current version of the Hue Bridge (2.1) should also have WiFi. This has been confirmed in the meantime and can be activated via detours. We refer to this only for the sake of completeness, as this is not intended by Signify and warranty becomes void in this case.

Unfortunately, the overview of apps and services connected to the Bridge, which we requested in the last test, has still not been implemented. Although the user list is no longer sent over the network in plain text, it is still not possible to check who also has access to the lighting system. This would be important, especially because pairing works very easily.

Local communication

The first time the app is opened, it searches for network devices with port 80 open and queries each one via HTTP.

HTTP request of the Hue Bridge

If a Hue Bridge is found, the system switches directly to TLS1.2 encrypted communication.

TLS1.2 encrypted communication between app and Bridge

This was not the case in our last test. At that time, an unencrypted API was used, which is still available, but is not used by the app. However, it remains available to other smart home systems for (local) control.

Online communication

In order to control the lighting while on the road, remote control must be activated via Hue app. For this purpose, an account under meethue.com must be created and linked to the Bridge.

When opening the Hue app, https://discovery.meethue.com is called, which displays the ID and internal IP address of all Hue Bridges known by public IP. If the ID matches the registered bridge, the app will try to connect to it locally. If this fails, requests are routed through the cloud.

The communication between app and cloud was always TLS1.2 encrypted, partially even TLS1.3. The connection between Hue Bridge and Cloud is also largely TLS1.2 encrypted. Diagnostic data is sent over unencrypted channels, but the packet content is separately AES-encrypted, as we explained in the last test.

App

The Philips Hue app was analyzed both statically and dynamically. In addition to a database with the data of the paired Hue Bridge and the API key required for control, the app data mainly contains the data and configuration of the integrated trackers (see privacy).

Database in the app data folder

Both local and remote connections to the Hue Bridge via api.meethue.com are secured by certificate pinning and thus effectively protected against man-in-the-middle attacks.

The obfuscation of the source code of the Android app makes analysis by attackers more difficult. However, it must be noted that this is no guarantee for security. (“Security by Obscurity”)

Firmware updates

In contrast to the communication between app and cloud or cloud and Hue Bridge, the firmware update process does not seem to have changed. The firmware updates are still transmitted via HTTP.

Firmware update via HTTP

The firmware seems to be encrypted and signed, but the unencrypted transmission of the firmware nevertheless brings unnecessary risks.

Entropy analysis of the firmware

In February 2020, Check Point published information about vulnerabilities in the lights and the Hue Bridge itself, which, with patience, would give the attacker access to the network. The vulnerabilities were reported to Signify in late 2019, and a new, patched firmware was available in January.

Privacy

The actual Philips Hue privacy policy is supplemented by an “additional privacy notice for Philips Hue customers”. All in all, the customer or interested buyer has to read a comparatively long privacy statement with over 4900 words and almost 20 A4 pages.

The Philips Hue app has 6 trackers integrated (Amplitude, Apptimize, Braze, Crashlytics, Firebase Analytics, HockeyApp). These are not mentioned by name in the privacy policy, furthermore, trackers are generally only mentioned as an aside, although they are frequently communicated with. Some of the trackers are also addressed when the app is first launched – although the customer did not officially confirm a privacy policy up to this point. It can be viewed in the app’s settings, but is not displayed for confirmation.

The privacy policy gives the impression that every action taken while using the app is recorded and stored, meticulously recording the way the system is used. The privacy policy and the additional privacy notice do not refer to anonymization or pseudonymization. On the contrary, usage data remains linked to personal data and is analysed in detail. Furthermore, data from internal and external sources can be obtained for a better understanding of interests and preferences and used with the other recorded data. Direct marketing via the app or social platforms including the associated “data consolidation” can be deactivated in the Hue App.

Conclusion

In recent years, the Philips Hue system has been well maintained, security gaps have been closed and general security has been improved.  In terms of privacy, Signify preserves the right to extensively collect data, which we believe goes far beyond what is necessary. Other manufacturers such as Dyson, Vorwerk or Apple, which also tend to be in the high-price segment, often refrain from using the data for advertising purposes, but rather ensure that the user is largely anonymous. Certainly, at first glance no far-reaching conclusions can be drawn from the use of a lighting system, but a longer-term data recording does provide a good insight into the lifestyle of the individual. Together with the firmware update downloaded via an unencrypted connection, we award a rating of 2 stars.