Flicker and fall: rooting the Philips Hue Bridge both remotely and wirelessly — Anthony Remy, Baptiste Verstraeten, Guillaume Chantrel, Maxime Turlure, Valentino Ricotta
Date : 03 juin 2026 à 11:30 — 30 min.
Home automation technologies are widely deployed in both domestic and enterprise environments. Philips Hue, in particular, is a leading smart lighting platform. As with many IoT products, however, uneven code quality and limited hardening can lead to serious security implications.
As part of Pwn2Own Ireland, we identified several bugs that allowed full compromise of the Philips Hue Bridge, the control center of the Hue lighting system. Due to its central role, an attacker may manipulate the lighting network to disrupt home automation, but also gain a persistent foothold into the local network.
In this talk, we will go over the internal architecture of the bridge before presenting a chain of bugs targeting a flawed implementation of Apple's HomeKit protocol.
We will also discuss a vulnerability reachable via Zigbee, a wireless protocol used by many smart home appliances. While it is used by the bridge to communicate with accessories such as light bulbs, it introduces a valuable attack surface for physically close attackers.
In both scenarios, we will demonstrate how these bugs were exploited to gain root access on the device.