CONTEXT Information Security says its researchers have exposed a security vulnerability in the LIFX Internet-enabled Wi-Fi LED light bulb.
Context said that by gaining access to the master bulb, it was able to control all connected light bulbs and expose user network configurations. LIFX has issued a patch, which is now available as a firmware update.
According to Context, this vulnerability highlights security issues with the latest wave of Internet of Things (IoT) devices.
“It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, Research Director at Context.
“We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys. IoT security needs to be taken seriously, particularly before businesses start to connect mission critical devices and systems.”
The LIFX bulb was launched in September 2012 with crowd funding through the Kickstarter website. The architecture, based on the 802.15.4 6LoWPAN wireless mesh network, requires only one bulb to be connected to the wifi at a time.
Context researchers, by physically interrogating the master bulb’s embedded microcontrollers, managed to access the firmware, and identify and understand the encryption mechanism in use. By monitoring packets on the mesh network the researchers identified the specific packets which shared the encrypted network configuration among the bulbs.
Armed with knowledge of the encryption algorithm, key, initialisation vector and an understanding of the mesh network protocol, Context was able to inject packets into the mesh network, capture and decrypt the network configurations, all without any prior authentication or alerting of its presence.
The fix means the LIFX system now encrypts all 6LoWPAN traffic, using an encryption key derived from the Wi-Fi credentials. It also includes functionality for secure ‘on-boarding’ of new bulbs on to the network. It is available from http://updates.lifx.co/
“Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals,” said Jordon. “What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected.”