Digital Life

Security vulnerability found in LIFX smart light bulbs exposes home Wi-Fi passwords

Thought your wirelessly connected smart light bulbs were safe from hackers? Think again.

IT security researchers have discovered that the smart LIFX bulbs created by Australian entrepreneurs living in Silicon Valley were exposing their users' home wireless modem (Wi-Fi) passwords.

With access to Wi-Fi credentials, hackers could potentially extract personal files on computers connected to a home network and make use of its internet connection to download large files. They could also wreak havoc by printing reams of documents on any connected printers and turn on and off and change the colours of LIFX bulbs.

The smart bulbs, which recently went on sale for $129, can be controlled wirelessly using an app on your smartphone and can change colour.

After determining how multiple LIFX bulbs talk to each other, the researchers, from security firm Context Information Security, investigated how the bulbs shared home Wi-Fi network credentials.

Encryption was being used, but after physically pulling apart lightbulbs to determine the key algorithm, they found they could reverse-engineer the encryption.

Advertisement

The researchers said in their findings, published online, that they could "capture the Wi-Fi details and decrypt the credentials, all without any prior authentication or alerting of our presence".

In order to stage an attack, the researchers said they needed to be within about 30 metres of a vulnerable LIFX bulb.

In other words, a hacker simply needed to sit outside a target's home.

Chief executive officer and co-founder of LIFX, Phil Bosua, recently told Fairfax Media more than 100,000 LIFX bulbs had been shipped to customers

Responding to the security researcher's findings, LIFX issued a software update that users can download to upgrade their bulbs.

LIFX said in a blog announcing the vulnerability and upgrade that it believed no LIFX users had been affected because it had received no reports from users about the issue.

"We recommend that all users stay up-to-date with the latest firmware and app updates," LIFX said.

Depending on which version of software a user's light bulb has, the update can take as long as two hours, Fairfax has found.

"Expected firmware update times are dependant and directly affected by your network conditions such as Wi-Fi signal strength and the location of your bulbs," Simon Walker, head of LIFX global marketing, said.

"In an ideal scenario, the expected update time for a single bulb can take between 45 minutes to an hour. As more bulbs are added or radio signal drops, this expected time will increase."

This will change in future updates, LIFX said, as the way the bulbs are upgraded has been altered to speed up the process.

"Our first major update, version 1.3, has been distributed throughout the home via mesh protocol, which is slow," Bosua said. "The next public firmware release will be distributed via Wi-Fi and will take approximately one to two minutes per bulb."

Bosua said LIFX took security "very seriously" and was "actively engaged in security testing, both internally and externally".

When recently interviewed before the vulnerability was discovered at his company's headquarters in Portola Valley, Bosua seemed to suggest the worst a hacker could do was "turn your lights on and off" if a security flaw was ever found in LIFX bulbs.

"It'd be just annoying," he said.

Asked what he was doing to protect the bulbs from hackers, he said the company was working with a security company to ensure they were secure.

"What we are doing is really just abiding by industry security protocols," he said. "And we're actually working with a security company to ensure LIFX is secure as it can possibly be.

"We're not doing anything different than what anyone in the past has ever done with security. We take it very seriously and we're basically adhering to every security practice that we can possibly maintain."

While Google and Facebook pay thousands of dollars to some hackers who find security holes in their software, Bosua said LIFX had no plans to do the same.

Advertisement

13 comments