The dark side of IoT lighting devices

Smart lighting IoT devices are prone to attacks that expose households and inhabitants to discomfort, but more importantly, mass surveillance, privacy exposure and data theft.

Bitdefender researchers analyzed the LIFX bulb – a successful crowdfunding project started in September 2012 – and found it vulnerable to traffic interception. Coincidentally, the LIFX product has been subjected to a hacking experiment in 2014 and was seen leaking Wi-Fi credentials through the wireless mesh network connecting the bulbs. At that time, the company announced it will provide a fix.

The vulnerabilities

The LED lighting market is booming, as lightbulbs become more feature-rich and affordable with each model. Manufacturers are heavily focused on connecting chip-driven lighting products, making them talk to one another and to broader networks.

The Lifx Bulb is a smart LED that connects to a Wi-Fi network and allows users to control house lighting via a smartphone app. The device is fully compatible with Google Nest, Scout alarm system, Amazon Echo, Flic and other IoTs.

The smart bulb carries a design vulnerability – an attacker can switch the device on and off five times to reset the device and start the configuration process, initializing the creation of a new hotspot.

Moreover, any control command is executed without authentication, so sending requests from an Android app installed on a different device could change lighting settings such as temperature, color etc.

The impersonation attack

During normal setup, the device creates a hotspot used by the Android app to manage initial configuration of the device. The device asks for the username and password of the home network and once the user enters the credentials, the bulb connects to the Internet and the hotspot is closed.

Researchers discovered that a device reset can be done from a physical switch outside the user’s home, for instance. Once the user sees that the bulb is not working, he will try to re-register it in the application. Meanwhile the attacker creates an identical fake hotspot by manipulating the device’s MAC and SSID. The fake hotspot will appear on top of the list along with the authentic one and will fool the Android app looking to establish a connection. As a result, vicitms will be connected to attackers’ fake hotspot and leak the username and password of their Wi-Fi network.

Bitdefender has unsuccessfully tried to contact the vendor and inform them of the research findings. The attack is still possible on the LIFX app version, 3.3.0.1, downloaded by 50,000 users as of this writing.

Security implications

This attack technique is restricted by proximity and requires a certain degree of technical knowledge, but is not the only type of attack that can be carried out”, says Radu Basaraba, malware researcher at Bitdefender.

This research draws attention to the necessity to embed proper security in the life-cycle of devices as they still lack strong authentication mechanisms when being pushed to market. It also reminds users to pay attention and conduct a thorough market research before purchasing any new devices which might endanger their privacy.

Researchers from Bitdefender Labs have investigated a random selection of IoT devices- – a smart LED, a Wi-Fi enabled switch, a Wi-Fi audio receiver and a smart power adapter – and will share more worrisome findings. Note: the scrutinized gadgets have been chosen randomly, based on popularity, product reviews and price affordability.

This article is based on the technical information provided courtesy of Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.