Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researchers Hack Smartphone-Controlled LED Light Bulbs

Wi-Fi enabled LED light bulbs manufactured by LIFX have been hacked by researchers from Context Information Security, the company said Friday.

Wi-Fi enabled LED light bulbs manufactured by LIFX have been hacked by researchers from Context Information Security, the company said Friday.

The energy efficient light bulbs are designed to use a Wi-Fi connection to allow users to control them through a smartphone application. As part of its effort to raise awareness of Internet of Things (IoT) security, Context demonstrated that the lack of protection measures enables an attacker within the wireless range to control all connected bulbs and expose user network configurations such as Wi-Fi credentials.

According to Context, there are three main communication components: bulb Wi-Fi communication, smartphone to bulb communication, and bulb mesh network communication. The system is designed so that only a master bulb is connected to the Wi-Fi network through which it receives commands from the smartphone. The other bulbs get the commands from the master bulb over an 802.15.4 6LoWPAN wireless mesh network. When a new bulb is added, it receives the Wi-Fi details, information which is encrypted, from the master bulb.  

Vulnerability Found in Smartphone-Controlled LED Light Bulbs

The first security issue found by researchers was the fact that the wireless communication protocols used for the bulb mesh network were in most part unencrypted, allowing them to inject traffic and control the light bulbs with the aid of an AMTEL AVR Raven wireless kit. By injecting arbitrary packets into the mesh network, an attacker can request Wi-Fi credentials, but the information is encrypted, Context said. Experts found a way to decrypt the information by extracting the firmware from the device and reverse engineering it.

“Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the WiFi details and decrypt the credentials, all without any prior authentication or alerting of our presence,” Context researchers explained in a blog post.

Context reported its findings to LIFX, which released a firmware update (version 1.2) to address the security issues.  In the latest version of the firmware, 6LoWPAN traffic is encrypted and adding new bulbs to the network is done in a secure manner. Representatives from the manufacturer claim there is no evidence that the vulnerability has been exposed by anyone besides Context, most likely due to the complexity of the attack.

“Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals,” said Michael Jordon, research director at Context Information Security. “In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases the vulnerabilities are fundamental to the design of the products.  What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected.”

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.