> If the lightbulb encrypts the password for storage, it necessarily also stores the decryption. An attacker would just have to take one extra step.
Yeah, but they could use some kind of secure enclave to make it much more difficult. Like having the bulb query the enclave with a securely hashed version of each available SSID until the enclave returns a password. That would at least make it non-trivial to get the password or figure out what network it connects to without some prior knowledge. That's valuable since it would prevent someone from buying an old bulb then wardriving to find the network that it's credentials work for.
Also it would be good to have some kind of secure reset physical button, to make it as easy as possible to clear any private data before the bulb is discarded.
Neither of these ideas would help secure your network against exploitation of an actively-used bulb, but they'd help with the discarded-bulb case.
I don’t get it. The bulb would have to be able to query the enclave, so the attacker can just have it do that and see what the enclave returns. The enclave in devices like iPhones are effective because they require external input (like a passcode or face/fingerprint scan). A lightbulb conveniently doesn’t require that every time it turns on.
I edited my comment, but the idea was to increase the amount of foreknowledge required to extract something useful. It won't be perfect, but it's better than just storing the SSID/password in cleartext (or encrypted with an easily-extracted on-device key). The device wouldn't tell the attacker what he needed to know to find the network the password works for if he didn't already know it.
Edit: another commenter linked https://wigle.net/, which could make it extremely easy for an attacker to find the network to exploit if the device stores the SSID in cleartext. My idea would help make that a lot harder, especially if the enclave rate-limits requests.
It should be trivial to make the password write-only to the wifi electronics. For an attacker to get the wifi password, you'd have to remove the controller, and the controller could even be designed to mitigate against that attack too.
I can’t think of a great way to protect the WiFi password on smart bulbs that wouldn’t potentially be inconvenient or even dangerous.
Perhaps you could have the smart hub store the encrypted WiFi password, and require a manual unlock every time it cycles power. This would require something like a Bluetooth connection from your phone (since you obviously won’t have WiFi).
This would obviously be very inconvenient, and potentially dangerous in some situation where you need your home lighting. Perhaps the emergency situation can be solved by having smart bulbs turn on maximum brightness after cycling power (which I believe the Philips Hue bulbs do).
How about using RADIUS auth with unique credentials for each device? You still have to revoke old credentials, but this is much more reasonable than rotating the shared key on every device every time you throw away a bulb.
One option is to use per-device WiFi credentials (i.e. RADIUS auth). You still need to invalidate the credentials when you throw away a bulb, but there are advantages:
1. Unlike "wipe the bulb before discarding", you don't have to trust the bulb manufacturer to actually wipe.
2. You can invalidate credentials even after discarding a bulb.
Instead of going for complicated software solutions one could just include a physical button in the base that break the flash memory chip. Before you discard the bulb you press the button and keep your secrets.
The better solution of course would be to have the intelligence in the socket/switch/wiring. But that requires more effort when upgrading to "smart" (they are not smart, you still have to manually set them to the desired mode.) illumination and doesn't play nice with rental property.
I mean, that wifi password is available is obvious. But wonder if this'll allow third part firmware updates? (it'saa little unclear what the cert is for) :
"Vulnerability n*3: Root certificate and RSA private key extracted
Root certificate and RSA private key are present into the firmware and are used to connect to LIFX cloud."
Then again, without any security at all, maybe firmware isn't signed at all anyway..
I think I remember Lifx mentioning in a Feburary post they fixed this back in 2018: https://www.lifx.com/pages/privacy-security. But yes, I assume most all the non-apple/google built devices in ones home have many weaknesses notably dumb devices like washer and dryers. If someone has physical access to your home and your get rid of any devices that haven't been wiped, your security can be compromised if someone with the knowledge wants too. Hopefully people stay on companies to help uncover these one by one.
Then why am I constantly replacing them? Wait, I know why; because I buy the cheaper ones, which have inadequate thermal solutions and God knows what quality of LED.
You may say "well don't buy the cheap ones", but people will, and they'll always be available. Even more affluent people who hook their lights up to their network will still often chose the cheaper version. Even the high end versions will fail, and you end up with the same problem.
Yeah - my experience with LED bulbs has been quite variable. Some "name-brand" ones from a European manufacturer seem to be lasting well so far, but I've also had a batch of lower-cost ones (with, supposedly, a 5-year guarantee) where the failure rate within 6 months was something like 50%.
"LED bulbs have very long lives" is an overly optimistic generalisation, in my experience.
"LED bulbs with very long lives" would be pretty useless. What they don't tell you about LEDs is that their efficiency goes down the drain over time, they become so dark as to become unusable. I have a few 3 to 5 years old bulbs, which I still haven't discarded but kept in the closest as a "emergency bulb if one of the bulbs I use break", I replaced them despite them being still fully operational because they became too dark. Way too dark.
This is an issue with LCD TV and monitors too. After a while their LED backlights become really dark. Push your new monitor at max brightness and compare the old with its max brightness and even if they were rated at equal nits the newer one is much brighter.
All those bulbs I have are the namebrand that do reliably work for years, but I would not want to use them for years. I feel like I might just buy the cheapest bulbs the next time, and not care if they die after 6 months. 6 months might be the maximum amount of time they can give you their brightest.
But if they -- at least "quality" brand LEDs -- don't have really long (useful) lives, the cost premium over other types of light bulbs looks much less justifiable.
It's usually not the LED that fails, it's usually either the control circuitry or drivers that fail.
But even if you follow parent comment's suggestion of putting the smarts in the switch rather than the bulb you'll still have failure prone control circuitry and drivers in the bulbs. Switching to 12V might help.
Even the brands don't do that much better. Brightness or colour temperature has degraded markedly by 3 or 4 years of most I've bought.
Colour drift has been particularly bad with any daylight or cold white bulbs. We've gone through fewer of those so may have just been unlucky brand choices.
3 or 4 years is 4 or 5 years longer than a regular incandescent bulb. The can lights used throughout my house use recommend a particular type of bulb to be used, and these seem to burnout in less than 6 months. This is a remodeled/flipped house, so maybe there's something wonky with the wiring or some such, but the Phillips LEDs I've since replaced them with have been yet to burn out after 18 months. Can't vouch for if they are no longer the same brightness at 100% now, as I rarely turn them up higher than 80% in normal use.
We have IR-remote controlled ceiling lamps, and a smart IR blaster. The IR blaster can be put to all kinds of purposes, controlling A/C, floor-standing fans, TV, etc, without replacing every piece of tech in the home.
I have similar but it's 433MHz (I think). Advantage is it doesn't need line of sight, disadvantage is it's harder (but not impossible) to get working with a raspberry pi or similar.
That seems like just as bad of an idea. In theory the bulbs (LED) are supposed to last at least 10 years. If you use a smart socket it will stick around a lot longer. Sounds better, but look at how things have changed in the past 10-20 years in wireless tech and security alone. Personally I see the "dumb" bulbs and sockets as the smart choice.
could you please elaborate? the only missing feature I can think of when using a socket, is the color change. I would think that is not the primary reason to purchase smart light bulbs, besides maybe one or two for the novelty? the key benefits of smart lighting is in the timing controls, dimming, and occupancy sensing, all of which can be accommodated by the socket, provided it can talk to a gateway that offers those features.
Being able to change the color temperature of the bulb (bluish-white during the day, warm white at night) is a real benefit - and not something a socket can do.
In addition to the mentions of color temperature, dimming works far better in something directly controlling LEDs, not by something controlling AC current to a socket.
Ideally, there'd be a standard for DC bulbs plugged into sockets, which included brightness and color. But right now, everyone wants to sell their own bulb system.
Color change - including different shades of white. With multiple people in the house who have different preferences on what white means, this avoids a lot of battles :-)
But agree - if you are mostly going to use it to turn it on/off, a smart socket/switch is likely the way to go. But keep in mind that if you ignore Hue and Lifx, there are decent smart bulbs out there that are fairly cheap - likely cheaper than a smart socket. Add to that the simplicity for the end user. I've installed smart switches, and depending on how your house is built, it can be quite a pain. Not all lighting in the house is via a socket.
This aint a big issue. You dont have full disk encryption on a lightbulb so of course the wifi password is going to be recoverable. I often find it funny when asking for the wifi password in some places in asia when staff insist on entering it themselves so you dont tell freeloaders or chinese, the network manager prompt confuses them briefly but they continue, but then I turn around and say ah so coffee2019 was that difficult to communicate - shock. Even on windows it's a mere powershell command away
Anyone who recovers my discarded lightbulb from the dump, JTAGs it and pulls my wifi name and password, does all the work to track down where my wifi network is in the city serviced by that particular dump, parks outside my place and joins my wifi can have anything they can get off my network.
Why would I go to the dump? If I was targeting you, I would just be searching your trash and come across your bulbs that way. Your wifi network would be pretty easy to find given it would be in the vicinity of the trash bin.
Exactly my thoughts. If I were this class of criminal, I'd be searching dumpsters or trash cans with the assumption that the network would probably be within 500 feet of that location.
It wouldn't be super helpful if I was trying to target a singular person but if I was just going to look for a bulb to use this exploit on, similar to how ATM hackers look for the models they know how to crack, I'd probably be able to find one eventually SOMEWHERE.
Ok so let's pretend I have a 10 led smartbulbs in my house ( future state, most people have less than 10 ). Let's say their mean time to failure is a six months ( I think this is significantly lowballed ). That means there will be 1 lightbulb in the trash on average every two to three weeks. This number is highly unrealistic but whatever.
So you are going to have to dig through my trash (assuming curbside (it isn't) two to three times to find a blub.
My door lock is easier to compromise. Just walk in and walk out with my server.
Fact of the matter is, if you are the target of someone, there are better ways... and if this is just an opportunistic guy that got some lightbulbs off the back of an e-cycler truck and one of them happens to be mine. He can have whatever he can find on my network.
TL;DR: The lock on your front door is easier to exploit, and the lock on your back door is probably even worse.
That's not really how it works though - if I were targeting you, I wouldn't think "I'm going to go through this guy's trash and look for smart bulbs". I'd think "I'm going to go through this guy's trash and see if I find anything useful."
If I find bank statements or other correspondence containing personal information, all of that gets added to the "dossier." If I find a hard drive, I'd plug it in and poke around. If I found a birthday card, I'd check the date it was mailed and have a good idea of when you were born. If I found a smart bulb... well, now this is just one more small extension of your personal attack surface.
Take this a bit further - what happens when the healthcare startup with 50 or so employees installs smart bulbs? Let's say the bulbs last on average five years, and they have 50 bulbs in their offices. That's ten bulbs failing per annum, giving a ~80% chance of finding a smart bulb in their trash in a given month. An attacker gets one of those, and is able to connect to their internal network over WiFi. From there they can poke around on internal machines, and would probably even have access to a whitelisted origin IP for SSHing into production machines.
The post was making an example from just finding attack vectors. This is just one of many attack vectors, but it's still a viable vector for attack. What if it's a small business that might have important trade secrets, but doesn't meet the strict requirements for HIPPA/PCI/etc?
It's still one more vector that doesn't need to exist, because there is no reason what-so-ever that you need a Wi-Fi chip inside your light blub!
> From there they can poke around on internal machines, and would probably even have access to a whitelisted origin IP for SSHing into production machines.
… at which point they need to break SSH/TLS after getting off the IoT sandbox network. I’d worry more about phishing and malware, and focus on deploying things like MFA first.
If they aren’t doing any of those things (or, in your example, not using a paper shredder) PCI & HIPAA are going to be a lot more of an existential threat than someone dumpster diving.
In Denmark, where putting electronics in the normal trash is forbidden[1], there's a small bin for electronics beside the others (metal, plastic, cardboard, paper, food waste, other waste).
The electronics bin in my building's basement is emptied around every 8 weeks, so there's more chance for someone to find them. (I know several people who search through these bins and repair electronics with only minor faults, which is excellent for reducing waste etc.)
I fully expected this to be mostly US-only, but I looked at my small UK town and found a ton of networks in the new development I live in which is less than two years old.
Just speculating, but might there be a business in e-recyclers downstream of collection points diverting networked gizmos, which could find their way to a specialized data recovery outfit, which compiles everything recovered into a database? If there was any location or identity information to pair with the password, it could be of relatively immediate value.
I feel like there are easier ways to get someone's wifi credentials, particularly with the weak passwords folks tend to use (I am guilty of this as well).
It’s not just the wifi password. It also has the key to the cloud which you presumably connected many of your devices to. So just get get the bulb, hacker goes home and messes with the controls to your house.
It wouldn't have to be acquired from the dump. Imagine this scenario:
1) $BADGUY (say, a business competitor) occasionally visits your office (for meetings or whatever).
2) $BADGUY notices that you use CrapSecurity lightbulbs, and brings along a dead CrapSecurity bulb in his backpack.
3) $BADGUY goes to bathroom, replaces the CrapSecurity bulb in your bathroom with his dead bulb (so you think it just burned out or something) and takes your bulb along to read the password at his leisure.
How much would your building's janitor have to be bribed to give someone a dead bulb? Replacing bulbs is one of the things that janitors do, so there'd be virtually no risk to him. The new bulb would have to be added to the network by the sysadmin, but is he gonna ask the janitor for the old one?
Requiring a sysadmin to add a new bulb to the network? I'd rather stick with dumb lightbulbs, thank you. (In a practical deployment the janitor will have the credentials to the network that the lightbulbs are on, hopefully not the one that all other devices are)
What about the waste reycling contractor who classifies electrical waste. Especially further up the food chain where there's a greater concentration of these devices.
Phillips Hue doesn't have this problem because it uses Z Wave and not WiFi.
You do need the hub, but the attack surface is reduced, the basic bulbs are cheaper, etc. There probably is key material in the bulb, but who wants to impersonate a light that can only exchange simple binary (no strings to parse) messages with the bridge?
But I would say in general, Z-Wave doesn't have as much of this problem. Especially if we're talking Z-Wave Plus devices, which most coming out today are. Even better if they have the S2 security!
What about "being used as part of a bot-net to perform DDoS attacks/other abuses"? That isn't frequently advertised, but that feature is useful to someone right?
So, a reasonable person (maybe not from here) would ask themselves why the lightbulb has a secret password to access the Network. After all we want the Network to be ubiquitous, so why is there a password anyway? If there wasn't a password then bad guys couldn't find out what it is. (You may think, aha - but with ubiquitous access they wouldn't need to, but as we saw for SSH shared passwords mean that getting a password may be _more_ not less valuable than access to the thing it was protecting).
It turns out that besides the stupid sociological reasons (which also result in us trying to make it impossible to sleep on a park bench rather than providing people with homes so that they won't _need_ to sleep on a park bench) there's a technical reason, and maybe that we can fix.
WiFi (802.11) has traditionally been plaintext out of the box. So every participant can see everything sent and received by every other participant. If you have a password this isn't so. Thus, a WiFi network plus a billboard announcing the WiFi password to everyone in the neighbourhood is actually slightly _more_ secure than one with no password at all.
Finally in WPA3 this is fixed, participants with passwords use a PAKE but everybody without a password gets OWE (RFC8110) to secure their network access. Since they don't have a way any way to authenticate they can be MITM'd of course, but you can't just passively decrypt everything they're sending and receiving. So a WPA3 era WiFi network that's "open" to everybody is protected better than your WPA2 PSK "ThanksMike" password for Mike's Coffee Shop.
A reasonable person might also ask why the lightbulb has the same password to access the network that everything else does.
Ideally, when you try to connect a new device to your network, an existing device with "network administrator" privileges (e.g. a computer) would get asked "do you want Philips Hue Smart Bulb Controller (printed ID x7a39q) to connect to your network?", and if you say "yes" on that device, the new device would get a unique asymmetric key pair. When setting up a brand new network, you could either enter something printed on the router or scan a QR code.
And then you could have a button to revoke a device's credentials (showing recently disconnected devices first), and a button to revoke the credentials of every device not currently on the network.
LIFX claims[0] they have addressed this as follows:
#1: WiFi credentials are now encrypted
#2: We have introduced new security settings in the hardware
#3: Root certificate and RSA private key is now encrypted
Can anyone ELI5 how #1 is even possible (in a meaningful way)? Doesn't the bulb need to decrypt this to connect to WiFi? Doesn't it need the key for decryption? And doesn't it have nowhere except onboard storage to retrieve that key from, since it isn't yet connected to WiFi? In that case, this "fix" would have no value besides PR. Am I missing something?
It sounds like security theatre to me, however, there are a number of things that can be done to make it fairly difficult but not impossible to dump from an embedded device.
IIRC, many embedded processors have a sort of secure enclave, that allows encryption of small amounts of data. The key is basically baked into the CPU, so if someone just takes the flash out of the device and tries to read it somewhere else, the file will need the CPU to be decrypted. I think mostly this is obsolete encryption, but that doesn't necessarily mean it's trivial to break.
Some vendors also embed secrets in their software, to "encrypt" on disk. This doesn't tend to be real security, but does add the barrier that someone needs to go through the software to find the hardcoded keys.
Shipping hardware should also have things like the JTAG and debug pins disabled, this makes it a lot harder to memory dump the in-memory state or get the device to load a custom image that would export the unencrypted keys in memory.
So, there are barriers that can be placed, that does make attacking the hardware harder and out of reach of unsophisticated attacks, but nothing is perfect. In my experience and from what I've heard from the community, it's safer to assume meaningful security measures haven't been taken by the vendors, even if they say they really care about security. Many of the barriers will be like you suggested, encrypted on disk, with the decryption key also on disk.
It's an interesting problem, because all the connected devices would need the attack mitigation.
Would be interesting to see a protocol which auto-revokes certificates for devices which do not digitally sign some "ping" message periodically. That way if someone digs through the dumpster, the credentials probably won't be valid.
Many embedded processors these days allow you to disable the JTAG/SWD debugging port. So once that is disabled it becomes quite a bit harder to read data from any of the on chip memory using external devices.
IIRC, many embedded processors have a sort of secure enclave, that allows encryption of small amounts of data. The key is basically baked into the CPU, so if someone just takes the flash out of the device and tries to read it somewhere else, the file will need the CPU to be decrypted. I think mostly this is obsolete encryption, but that doesn't necessarily mean it's trivial to break.
This would be the sensible implementation, but I doubt that LiFX have used a suitable (and more expensive) MCU.
i”d love to understand this as well. it seems to boil down to how to secure the (un)encryption key, since unencrypted secrets in (volatile) storage should disappear when the bulb is removed from power, and other secrets in long-term storage should all be encrypted by the one primary (un)encryption key. how do you secure this key? secure enclave seems to make it harder but not impossible (as kevin_nisbet points out).
You have to use a secure element essentially. But there's no way they paid for a chip that includes that functionality because it costs a fair bit of money (on the scale of a smart bulb).
actually my smart bulb needs to be reconfigured if there wasn't power for some amount of time.
I guess it will delete data on boot since a normal power down for 5 minutes won't clear the data, which still makes it accessible if somebody knows how to extract the data without triggering the kill.
I put all untrustworthy devices on my guest WiFi. My game consoles, e-readers, streaming devices, and Internet appliances don't need access to my privileged network, and they don't need access to each other. And if I were so inclined to buy smart bulbs, they'd get the same treatment.
And, yeah, my guest WiFi password is kind of secret, but I routinely give it out to people who I only casually trust.
Ideally, when you try to connect a new device to your network, an existing device with "network administrator" privileges (e.g. a computer) would get asked "do you want Philips Hue Smart Bulb Controller (printed ID x7a39q) to connect to your network?", and if you say "yes" on that device, the new device would get a unique asymmetric key pair. When setting up a brand new network, you could either enter something printed on the router or scan a QR code.
And then you could have a button to revoke a device's credentials (showing recently disconnected devices first), and a button to revoke the credentials of every device not currently on the network.
I had this idea at some point few years ago of auto-provisioning WPA2-EAP credentials for guest users, with network admin confirmation. Too bad it didn't really progress much beyond few flowcharts and weekend on getting confused with RADIUS. But I think the central concept is still workable, and aligns pretty well with what you are proposing here.
Of course in IoT context there is the little problem that all the crappy devices are unlikely to support EAP, but that is another story.
>No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
If LIFX had enabled secure boot, disabled the debug interface, and encrypted the boot flash storage, we would be reading an article about how consumers no longer owned their devices and how they were being abused by a corporate behemoth trying to derive them of their right to repair and tinker through DRM.
You know this, I know this, and I know that you know that I know that you know this.
It's nice that they've tried to improve by providing a GPG public key on their new page [0], however it links to a non-https page to download it: http://hosted.lifx.co/security/lifx_pgp_public.asc. I'm not sure they are actually taking this seriously.
Does anyone know if Bluetooth bulbs are safer in this regard? I have a couple Sylvania Bluetooth bulbs instead of wifi bulbs because I'm concerned about wifi bulbs being on my network, and I figure you need proximity to operate a Bluetooth bulb.
What's a smart lightbulb for? I'm not playing dumb; I really can't think of a time when I thought, "I wish I could communicate with my lightbulbs when I was away," or, "I wonder what my lightbulbs are up to tonight!". Some of these IOT innovations sound like they're looking for a problem.
reply