Smart light bulbs get security update
Smart light bulb maker LIFX has issued a firmware update after security researchers exposed a security weakness
Smart light bulb maker LIFX has issued a firmware update after security researchers exposed a security weakness in the firm’s Wi-Fi-enabled LED light bulbs.
The security vulnerability was discovered by researchers at Context Information Security in a study of the potential impact on enterprise security of IP-connected devices that make up the internet of things (IoT).
The smart light bulbs, designed to be controlled from a smartphone, were found to use a mesh network based on the 802.15.4 wireless protocol, commonly used for inter-IoT device communication.
The light bulbs use AES 128 encryption, but researchers found this did not mean they were secure.
Using a combination of hardware hacking, protocol analysis and reverse engineering, the researchers were able to extract the AES encryption details.
The researchers then used a wireless laptop to request Wi-Fi credentials from a light bulb over the unsecured mesh network.
Using the encryption key, they decrypted the credentials released by the light bulb and use those credentials to connect to a secured wireless network.
The relevance of the discovery to information security professionals is that the devices have parallels in corporate environments with similar underlying technology.
Context IS reported the vulnerability to the smart light bulb maker, LIFX, which has since worked with the security firm to release a firmware update to fix the security vulnerability.
The firmware update encrypts all communication between the smart light bulbs using an encryption key derived from the Wi-Fi credentials. It also includes functionality for adding new bulbs to the network securely.
“It is clear that in the dash to get on to the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context IS.
“We have also found vulnerabilities in other internet-connected devices from home storage systems and printers to baby monitors and children’s toys.
“IoT security needs to be taken seriously, particularly before businesses start to connect mission critical devices and systems,” he said.
Read more about the internet of things
- The internet of things is set to change security priorities
- APIs key to security of internet of things, says Axway
- Internet of things to power classroom education
- Smart Grid and the Internet of Things
- Smart technologies and the internet of things
- Gartner: Internet of Things will be worth trillions
- Explained: What is the Internet of Things?
- Building Internet of Things applications with DeviceHive
- The internet of things – the devices are taking over
- ARM buys Sensinode for ‘internet of things’ push