3 min read

Has your smart WiFi-enabled LED light bulb been hacked?

Graham CLULEY

July 08, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Has your smart WiFi-enabled LED light bulb been hacked?

More and more gadgets and devices around the home are leaping on the Internet of Things (IoT) bandwagon, and getting connected to the net. But are vendors treating security as a priority?

That’s the question which has to be asked once again, after security researchers discovered a security weakness in a make of internet-enabled LED light bulb that can be controlled via a funky smartphone app.

When you watch the promotional video for LIFX’s multi-coloured energy efficient LED light bulbs you are left with the impression that they’re pretty neat.

But there must have been a few raised eyebrows, when researchers at Context published an analysis of security vulnerabilities in LIFX smart light bulbs, where they described how by gaining access to a “master bulb” they were able to control all connected bulbs, and expose user network configurations.

The encouraging news is that what the researchers from Context did was far from simple, and required them to physically take a LIFX smart bulb apart to access its printed circuit board (PCB) and reverse-engineer the device’s firmware.

Furthermore, any attacker would have to be in close proximity to their target rather than on the other side of the world meddling with the smart lighting via the net.

Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the WiFi details and decrypt the credentials, all without any prior authentication or alerting of our presence. Success!

It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.

Fortunately, the Context researchers acted responsibly and informed LIFX of the potential security issue, and even helped them develop a fix which means that all 6LoWPAN traffic is now encrypted, using a key derived from the WiFi credentials.

In a blog post, the firm said that it was unaware of any users being affected by the security issue.

In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment.
No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates.

LIFX has now issued a software update to its smart bulb firmware which is said to address the security issue.

Trying to protest against the Internet of Things feels as foolish as believing that King Canute can stop the incoming tide.

It’s going to happen, whether we like it or not – all we can hope is that as a multitude of vendors begin to sell their household devices as internet-enabled that they give some consideration to customers’ security and privacy.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Man who "scraped and sold 178 million users' data" is sued by Facebook Man who "scraped and sold 178 million users' data" is sued by Facebook
Graham CLULEY

October 26, 2021

2 min read
Microsoft Teams Rolls Out End-to-End Encryption Microsoft Teams Rolls Out End-to-End Encryption
Silviu STAHIE

October 25, 2021

1 min read
Stay Updated to Keep Ahead of Cyber Threats – Updating Chameleon Explains Stay Updated to Keep Ahead of Cyber Threats – Updating Chameleon Explains
Filip TRUȚĂ

October 25, 2021

2 min read