Philips Hue Bridge HomeKit Protocol Flaw Let Attackers Bypass Authentication via Static Nonce
A static nonce vulnerability in the Philips Hue Bridge's HomeKit Accessory Protocol allows network-adjacent attackers to bypass SRP authentication without credentials, a flaw demonstrated at Pwn2Own.
A critical authentication bypass vulnerability has been disclosed in the Philips Hue Bridge, the central hub for Philips smart lighting systems. Tracked as CVE-2026-3559 and assigned a CVSS score of 8.1, the flaw resides in the HomeKit Accessory Protocol (HAP) service, which listens on TCP port 8080 by default. The vulnerability was demonstrated at the Pwn2Own hacking contest and publicly disclosed on March 6, 2026, by the Zero Day Initiative (ZDI).
The root cause of the vulnerability lies in the use of a static nonce value within the Secure Remote Password (SRP) authentication mechanism. In cryptographic protocols, a nonce—a number used once—is intended to be randomly generated for each session to prevent replay attacks. However, the Philips Hue Bridge implementation reuses a fixed nonce, allowing an attacker to capture and replay authentication data. This enables a network-adjacent attacker to bypass SRP authentication entirely without needing any credentials or user interaction.
Exploitation does not require authentication, making the attack surface particularly broad. An attacker only needs to be on the same network as the vulnerable Hue Bridge to send crafted packets to port 8080. Once authenticated, the attacker could potentially gain full control over the bridge, including the ability to manipulate connected lights, exfiltrate network configuration data, or pivot to other devices on the local network. The ZDI advisory notes that the attack can achieve high impact on both confidentiality and integrity, though availability is not affected.
The vulnerability affects all Philips Hue Bridge v2 devices running software versions prior to 1975170000. Philips has released a firmware update that addresses the issue, available through the official Philips Hue release notes. Users are strongly advised to update their bridge software immediately. The Hue Bridge v1 (square model) is not affected, as it does not support HomeKit.
The flaw was discovered and reported to Philips on November 18, 2025, by security researchers Ho Xuan Ninh and Hoang Hai Long from Qrious Secure. Their demonstration at Pwn2Own Berlin 2026 contributed to the contest's total of 47 zero-days exploited, earning researchers over $1.3 million in prizes. The coordinated disclosure followed a responsible timeline, with Philips releasing the patch released before the public advisory.
This vulnerability highlights a recurring pattern in IoT security: the misuse of cryptographic primitives in resource-constrained devices. Static nonce flaws have been found in numerous smart home products, from smart locks to thermostats, often because developers prioritize performance over randomness. The HomeKit Accessory Protocol is designed to provide strong security for Apple's smart home ecosystem, but implementation errors like this one can undermine those protections entirely.
For Philips Hue users, the risk is mitigated by the requirement for network adjacency—attackers must be on the same local network. However, in shared living spaces, hotels, or office environments where the bridge is on a guest network, the attack becomes a realistic threat. Users should ensure their bridge firmware is updated and consider segmenting IoT devices onto a separate VLAN to limit the blast radius of any future vulnerabilities.