A high-profile ‘connected’ lighting system had a critical vulnerability which allowed attackers to take control of the entire system, switching off its Wi-Fi light bulbs at will, and which could be executed by criminals within 100 feet of a home, according to specialist security firm Context.
Context found the vulnerability in the LiFX system, a well-known Kickstarter-funded lighting system where a network of Wi-Fi light bulbs can be controlled via smartphone app.
LiFX describes the system as a, “Wi-Fi enabled, multi-color, energy efficient LED light bulb that you can control with your smartphone.”
Electronics Weekly said that the hack was a “warning for all Internet of Things companies”.
Speaking to Electronics Weekly, Context’s Michael Jordon said, ““It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritized as highly as it should be in many connected devices We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”
The researchers found a vulnerability in the wireless mesh network the bulbs used to communicate, which could have enabled attackers to control the system.
Context said that by gaining control of one “master” bulb, they could control the entire network, and intercept communications containing the bulbs’ network credentials – all without the smartphone app being alerted that there was anything wrong.
The firm admits that obtaining the firmware was difficult – having had to use a hammer on a bulb and reverse-engineer it from the electronics – but says that later in a product’s lifecycle the process would be easier, when firmware would be available as a download on the internet.
Context said in its blog post, “With any internet connecting device, whether phone, laptop, light bulb or rabbit, there is always a chance of someone being able to hack it.”
LiFX has since issued a patch for the vulnerability and communications between bulbs will now be encrypted.
Speaking to CBR Online, Michael Jordon of Context said, “Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals.
In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases the vulnerabilities are fundamental to the design of the products.
“What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected.”
Last year, Philips Hue “connected lighting” system was criticized over its security, after a researcher showed off an attack which could have caused a “perpetual blackout” in the homes of users, according to a security researcher.
Author Rob Waugh, We Live Security