A hacker that goes by the handle “LimitedResults” has demonstrated how they were able to hack into a popular internet-connected light bulb and extract the owner’s Wi-Fi login and password, as well as other valuable data, in under an hour.
The smart light bulb in question is the LIFX mini white, which is sold online and in many home improvement stores for around $25. The light bulb is controlled by an app on the users’ phone, but as LimitedResults discovered, the lack of security on the smart device itself meant that it could also potentially be controlled by an attacker.
As LimitedResults detailed on their blog last week, they used a handsaw to break open the light and remove the bulb’s main chip. They then connected the bulb’s chip to another chip that allowed them to interface with the bulb’s hardware through a USB port.
According to LimitedResults, the users’ Wi-Fi credentials were stored in plaintext—meaning unencrypted and plainly readable—in the bulb’s memory.
LimitedResults was also able to extract the private encryption key from the bulb’s memory. According to LimitedResults, this vulnerability could allow anyone to spoof the legitimate user and remotely control the light.
The device didn’t appear to have any security settings whatsoever, LimitedResults wrote. They said there was no secure boot, which ensures that the device can’t be controlled by unauthorized software or hardware, no flash encryption, and JTAG was enabled, meaning anybody could write data to a device’s memory.
On Thursday, LIFX published a press release that said the “moderate to severe vulnerabilities” discovered by LimitedResults were fixed in firmware and app updates released in late 2018. According to the company, users’ Wi-Fi credentials are now encrypted, security settings for accessing the bulb’s memory are now in place, and the private key is now encrypted.
A LIFX spokesperson told me in an email that the reason these precautions weren’t taken to begin with was due to concerns about the hardware security features.
“During the development phase our team understood that the encrypted storage feature may not have been ready for large scale use,” the spokesperson said. “Our oversight was not revisiting this to ensure the best solution was in place, which we have now corrected with firmware updates.”
Shoddy security on internet of things (IoT) devices is not uncommon in the industry. In fact, these sorts of problems are so widespread— from teddy bears that leak video to pressure cookers that leak your cell phone pictures—that they’ve even spawned a popular parody account, the Internet of S——, which is dedicated to chronicling IoT blunders.
This isn’t the first time LIFX smart bulbs has been hacked. Back in 2014, British security researchers managed to access a private Wi-Fi network by hacking into a LIFX smart bulb.
LimitedResults told me that they that the problem with IoT security could be solved by more stringent regulation. In lieu of that, however, they said that these companies need to take responsibility for their own products and develop them with security in mind.
“It is not difficult to secure this data,” LimitedResults told me.
Originally published in Motherboard by Daniel Oberhaus on January 31, 2019