According to aover the weekend, the LIFX smartphone-controlled lightbulb contains a system-breaking vulnerability, one which enables an attacker to freely roam the Wi-Fi network they’re connected to, as well as track any mobile devices which may have been used as a control center while the exploit was active.
“Armed with knowledge of the encryption algorithm, key, initialization vector, and an understanding of the mesh network protocol we [were able to] inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence,” a member of the research team at Context wrote.
The LED lightbulbs are just one entry into a growing market of competitors who are looking to take our homes from the analog stone age into the future of the digital, linking up smartphones, tablets, and their apps to everything from our fridges to the temperature of the kitchens we keep them in.
After Google acquired the net-connected thermostat company Nest this year, analysts were abuzz with speculation as to where we could see the IoT (Internet of Things) take off to next.
Samsung, LG, and Sony have all thrown their respective hats into the ring as well, likely in anticipation of the massive $19 trillion in sales that Cisco’s CEO sees amassing on the horizon for the industry in just the next ten years alone.
But with all that anticipation comes a risk that has been severely understated as more and more companies ready new departments to jump on the bandwagon: security.
When talking about the safety of devices that are integrated into our homes, you’re not only losing the data on devices that are hooked up to the same network, but run the possibility of having your every move and mood tracked and logged by an array of sensors which can do everything from telling you when the milk is getting low to automatically turning on the lights in a room when sensors detect movement on the floor or in your bed.
A cracked cell phone may leak GPS coordinates, but a hacked house can reveal every intimate detail about you, including when you take your morning shower or when a baby is asleep in the other room. The LIFX issue was initially brought to light when a researcher was able to activate a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the older IEEE 802.15.4 standard.
“It is clear that in the dash to get into the IoT market, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context. “We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”
LIFX has since updated the firmware used to control the bulbs to version 1.3 in response to Context’s discovery, and have assured members of the press that no data had been lost or compromised as a result of the whole while it was still left open.