Security vulnerability of smart bulbs is revealed
LIFX, led by founder and inventor Phil Bosua, debuted on crowdfunding site Kickstarter in September 2012 with backers pledging a total of $1.3m in six days and billed the LIFX light bulb as the light bulb reinvented because it is a ‘WiFi enabled multi-color, energy efficient LED light bulb’.
Context Information Security posted on the company’s blog site that "We chose to investigate this device due to its use of emerging wireless network protocols, the way it came to market and its appeal to the technophile in all of us".
LIFX bulbs connect to a WiFi network to allow them to be controlled using a smart phone application. In a situation where multiple bulbs are available, only one bulb will connect to the network. The ‘master’ bulb receives commands from the smart phone application, and broadcasts them to all other bulbs over an 802.15.4 6LoWPAN wireless mesh network.
Context Information Security’s blog outlines how the company discovered the security vulnerability of the LIFX light bulb but noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform an attack which limits the practicality for large scale exploitation.
Following the discovery Context informed LIFX of the company’s research findings. Context has now worked with LIFX to help them provide a fix for the specific issue, along with other further security improvements. The fix, which is included in the new firmware now encrypts all 6LoWPAN traffic, using an encryption key derived from the WiFi credentials, and includes functionality for secure on-boarding of new bulbs on to the network.
Related articles and links:
Europe makes smart grid security recommendations
Newswatch: LEDs to cash in on smartphone surveillance opportunities
Newswatch: Are LED lights spying on you?