Security researchers have exposed a security weakness in a Wi-Fi enabled, energy efficient LED light bulb that could allow hackers to expose the configuration of a network that the bulb is connected to.
The flaw affects LED bulbs from manufacturer Lifx. It makes bulbs that can connect to a wireless network and be controlled by a smartphone app.
The architecture, based on the 802.15.4 6LoWPAN wireless mesh network, requires only one bulb to be connected to the Wi-Fi at a time with all other bulbs receiving commands over the mesh network via the master bulb.
Researchers from IT security firm Context Information Security found they were able to monitor packets on the mesh network and identify the specific packets which shared the encrypted network configuration among the bulbs.
The researchers accessed the firmware of the bulb simply by breaking the bulb open to find its PCB to discover what processors it had. Researchers discovered the bulb used AES implementation to encrypt data flowing between the bulbs.
"AES, being a symmetric encryption cipher, requires both the encrypting party and the decrypting party to have access to the same pre-shared key," the researchers said in a blog posting. "In a design such as the one employed by LIFX, this immediately raises alarm bells, implying that each device is issued with a constant global key.
"If the pre-shared key can be obtained from one device, it can be used to decrypt messages sent from all other devices using the same key. In this case, the key could be used to decrypt encrypted messages sent from any LIFX bulb."
The researchers said the final step was to prove the accuracy of the extracted encryption variables by using them to decrypt Wi-Fi credentials sniffed off the mesh network.
"Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals," said Michael Jordon, research director at Context.
"In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases, the vulnerabilities are fundamental to the design of the products. What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected."
A fix for the flaw has been implemented in new firmware available from the manufacturer's website. The fix now encrypts all 6LoWPAN traffic, using an encryption key derived from the Wi-Fi credentials. It also includes functionality for secure on-boarding' of new bulbs on to the network.
