Lack of Transport Encryption in Philips Hue Bridge by Philips
CVE-2017-14797

7.5HIGH

Key Information:

Vendor: Philips
Status: Hue Bridge Bsb002 Firmware
Vendor: CVE Published:; 1 October 2017

Summary

The Philips Hue Bridge BSB002 SW 1707040932 is vulnerable due to a lack of transport encryption in its public API, which allows attackers on the local network to intercept HTTP traffic. This vulnerability enables unauthorized users to capture API keys, effectively bypassing the pushlink protection mechanism and gaining complete control over the connected accessories. Securing API communications is crucial to prevent potential unauthorized access and ensure the integrity of connected devices.

References

https://www.tiferrei.com/philips-we-need-to-talk

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 1, 2017
Vulnerability Reserved
Sep 27, 2017