3 min read

Has your smart WiFi-enabled LED light bulb been hacked?

Graham CLULEY

July 08, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Has your smart WiFi-enabled LED light bulb been hacked?

More and more gadgets and devices around the home are leaping on the Internet of Things (IoT) bandwagon, and getting connected to the net. But are vendors treating security as a priority?

That’s the question which has to be asked once again, after security researchers discovered a security weakness in a make of internet-enabled LED light bulb that can be controlled via a funky smartphone app.

When you watch the promotional video for LIFX’s multi-coloured energy efficient LED light bulbs you are left with the impression that they’re pretty neat.

But there must have been a few raised eyebrows, when researchers at Context published an analysis of security vulnerabilities in LIFX smart light bulbs, where they described how by gaining access to a “master bulb” they were able to control all connected bulbs, and expose user network configurations.

The encouraging news is that what the researchers from Context did was far from simple, and required them to physically take a LIFX smart bulb apart to access its printed circuit board (PCB) and reverse-engineer the device’s firmware.

Furthermore, any attacker would have to be in close proximity to their target rather than on the other side of the world meddling with the smart lighting via the net.

Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the WiFi details and decrypt the credentials, all without any prior authentication or alerting of our presence. Success!

It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.

Fortunately, the Context researchers acted responsibly and informed LIFX of the potential security issue, and even helped them develop a fix which means that all 6LoWPAN traffic is now encrypted, using a key derived from the WiFi credentials.

In a blog post, the firm said that it was unaware of any users being affected by the security issue.

In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment.
No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates.

LIFX has now issued a software update to its smart bulb firmware which is said to address the security issue.

Trying to protest against the Internet of Things feels as foolish as believing that King Canute can stop the incoming tide.

It’s going to happen, whether we like it or not – all we can hope is that as a multitude of vendors begin to sell their household devices as internet-enabled that they give some consideration to customers’ security and privacy.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read