Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark

Which bright spark should we blame after this illuminating revelation of current affairs?

Philips' Hue smart-home lighting has had an embarrassing outage with its API going offline for four hours on Thursday, preventing customers from accessing the system remotely.

On the same day that the company launched its new service – where its lights will respond automatically to streaming music and games – the system died for anyone trying to activate the hardware while outside their house, or using voice control. In-home control was unaffected.

The loss of remote control mirrors a similar outage with Nest earlier this month where customers were unable to use the Nest app remotely to unlock doors or turn off/on its security alarm.


IoT worm can hack Philips Hue lightbulbs, spread across cities


Neither company has provided an explanation for what went wrong, but based on anecdotal reports and a rough understanding of how the systems work, it looks a lot like a DNS issue in both cases.

That could be a misconfigured DNS server, or a mistake in the code of a software update, or possibly a DDoS attack on specific servers from potential extortionists. We have asked both companies for a more detailed explanation.

"We are aware of the current issue linked to remote connectivity (out of home, voice control). We're working hard to solve the issue asap," the biz stressed on its Twitter account.

An hour later it promised it was making progress on the issue and then three hours after that message said the issue was "Solved! All systems are good to go" before offering "sincere apologies for the inconvenience caused. We are fully investigating the root cause to avoid and prevent any reoccurrence."


It's hard to make much from that message but the fact that voice control was affected whereas local control wasn't would strongly suggest an internet-based problem, because we understand that voice controls on the Hue system are send up to the company's servers to be understood and then the relevant control sent back down to the system.

We can't really think of any good reasons why remote control of Hue lights would be useful. But that is besides the point: the one big factor preventing a broader update of smart home products is the concern that their connection to the larger internet opens the system up to potential hacking, or unexpected problems.

Such as earlier this month when Amazon's Alexa went rogue and decided it had heard one couple telling it to send a message to someone in the husband's contacts list, and then recorded and sent a discussion about hardwood floors to one of his employees without them realizing.

The outages themselves are often short-lived and so far we haven't seen any connection to hacking to the theft of information, but they are a constant reminder that connecting anything to the internet brings with it risks. ®

Similar topics

Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading

Biting the hand that feeds IT © 1998–2022