BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Smart Home? These Connected LED Light Bulbs Could Leak Your Wi-Fi Password

This article is more than 9 years old.

Having a smart home with remotely connected heating, water, lighting and locking systems may not always be the smart choice unless you are particularly vigilant to apply the latest security updates - and unless your suppliers are on top of the security situation. The latest threat to connected homes has emerged: a popular brand of connected LED lightbulbs can be hacked to change the lighting, and worse, to reveal the homeowner's Wi-Fi Internet password.

Researchers at Context Information Security were able to hack LIFX light bulb systems in order to reveal Internet passwords. The bulb company has released a firmware update in the last two weeks to fix the problem, but those users who have not updated are unprotected.

LIFX bulbs can be bought at Amazon and home improvement retailers, and  controlled remotely by a smart phone so that users can turn their lights on and off when away from home. Before its launch in 2012 the company received over 13 times the Kickstarter funding it had sought, with over 9,000 backers, following a bid to revolutionize home lighting.

While the hacking steps were relatively complex for a layperson, hackers could easily exploit the vulnerability using standard and cheap equipment. The threat is therefore that a hacker can control the lighting in a house and also misuse its Internet connections for other purposes.

data.path Ryoji.Ikeda - 4 (Photo credit: r2hox)

"We bought some light bulbs and examined how they talked to each other and saw that one of the messages was about the username and password," Michael Jordan, research director at Context Information Security, told the BBC. "By posing as a new bulb joining the network we were able to get that information."

The research only addresses lightbulbs, and the company is assessing other connected devices. It is likely to find vulnerabilities - some other devices including various connected refrigerators and home surveillance systems are known to be a potential target as with any connected device, and hackers will always look for a way in.

The Technical Details

The LIFX light bulbs use new wireless network protocols, which intrigued Context Information Security enough to attempt to hack the devices. They operate on the 802.15.4 6 LoWPAN wireless mesh network, and are used by simply screwing in the bulbs at home and controlling them from a downloadable smartphone application.

Phil Bosoa, CEO, LIFX & Marco Montemagno (Photo credit: LeWeb13)

In a blog, Context Information Security states that 6 LoWPAN is a wireless communication specification built upon IEE 802.15.4, the same base standard used by Zigbee, designed to allow IPv6 packets to be forwarded over low power personal area networks (PAN). In order to hack into the traffic, it acquired a straightforward peripheral device using the 802.15.4 specification, in this case the ATMEL AVR Raven with Contiki firmware.

Context Information Security found that the LIFX mesh network protocol was largely unencrypted, allowing it to "easily dissect the protocol, crop messages to control the light bulbs and replay arbitrary packet payloads". By monitoring packets from the mesh network when adding new bulbs, it was able to identify those which contained Wi-Fi network credentials: when any new bulbs are added, messages are transmitted from the master bulb containing Wi-Fi details.

Alarmingly, the researchers found that by just requesting WiFi details from the master bulb, no alarms were raised within the LIFX system. However, the details were encrypted.

The researchers then decrypted the firmware by pulling out the microcontrollers from the lighting systems. Having assessed the circuit boards, they able to assess how to send commands to the chips (see more details on their blog here). They state that using "common cryptographic constants", researchers were able to identify the encryption code and begin injecting packets into the network, "all without any prior authentication or alerting of our presence".

Connected Homes: A Secure Future?

Because of the nature of the LIFX network, a user would need to be within less than 25 yards to make the hack a success, "severely limiting the practicality for exploitation on a large scale". Nevertheless, it demonstrates that yet another connected home device can be accessed by relatively informed hackers using standard devices, and by alarmingly revealing the Wi-Fi password hackers could make use of the entire home network - not just changing lighting.

As with all new devices connected to the Internet, there is a risk of hacking, and connected homes naturally face these concerns. But whether consumers understand the risks, or manufacturers keep up with the latest attacks, remains to be seen.

One thing is for sure: the cyber security war is ever-expanding and our home goods are far from exempt.

Like this story? For more news on security, social media, women in IT, and breakthrough technology at the world’s largest organizations, follow me on Twitter. Please share your thoughts below.