Has your smart WiFi-enabled LED light bulb been hacked?

More and more gadgets and devices around the home are leaping on the Internet of Things (IoT) bandwagon, and getting connected to the net. But are vendors treating security as a priority?

That’s the question which has to be asked once again, after security researchers discovered a security weakness in a make of internet-enabled LED light bulb that can be controlled via a funky smartphone app.

When you watch the promotional video for LIFX’s multi-coloured energy efficient LED light bulbs you are left with the impression that they’re pretty neat.

But there must have been a few raised eyebrows, when researchers at Context published an analysis of security vulnerabilities in LIFX smart light bulbs, where they described how by gaining access to a “master bulb” they were able to control all connected bulbs, and expose user network configurations.

The encouraging news is that what the researchers from Context did was far from simple, and required them to physically take a LIFX smart bulb apart to access its printed circuit board (PCB) and reverse-engineer the device’s firmware.

Furthermore, any attacker would have to be in close proximity to their target rather than on the other side of the world meddling with the smart lighting via the net.

Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the WiFi details and decrypt the credentials, all without any prior authentication or alerting of our presence. Success!

It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.

Fortunately, the Context researchers acted responsibly and informed LIFX of the potential security issue, and even helped them develop a fix which means that all 6LoWPAN traffic is now encrypted, using a key derived from the WiFi credentials.

In a blog post, the firm said that it was unaware of any users being affected by the security issue.

In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment.
No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates.

LIFX has now issued a software update to its smart bulb firmware which is said to address the security issue.

Trying to protest against the Internet of Things feels as foolish as believing that King Canute can stop the incoming tide.

It’s going to happen, whether we like it or not – all we can hope is that as a multitude of vendors begin to sell their household devices as internet-enabled that they give some consideration to customers’ security and privacy.