News

Smart light bulbs get security update

Warwick Ashford

Smart light bulb maker LIFX has issued a firmware update after security researchers exposed a security weakness in the firm’s Wi-Fi-enabled LED light bulbs.

The security vulnerability was discovered by researchers at Context Information Security in a study of the potential impact on enterprise security of IP-connected devices that make up the internet of things (IoT).

datacenter_green_2013_01b.jpg

The smart light bulbs, designed to be controlled from a smartphone, were found to use a mesh network based on the 802.15.4 wireless protocol, commonly used for inter-IoT device communication.

The light bulbs use AES 128 encryption, but researchers found this did not mean they were secure.

Using a combination of hardware hacking, protocol analysis and reverse engineering, the researchers were able to extract the AES encryption details.

The researchers then used a wireless laptop to request Wi-Fi credentials from a light bulb over the unsecured mesh network.

Using the encryption key, they decrypted the credentials released by the light bulb and use those credentials to connect to a secured wireless network.

The relevance of the discovery to information security professionals is that the devices have parallels in corporate environments with similar underlying technology.

Context IS reported the vulnerability to the smart light bulb maker, LIFX, which has since worked with the security firm to release a firmware update to fix the security vulnerability.

The firmware update encrypts all communication between the smart light bulbs using an encryption key derived from the Wi-Fi credentials. It also includes functionality for adding new bulbs to the network securely.

“It is clear that in the dash to get on to the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context IS.

“We have also found vulnerabilities in other internet-connected devices from home storage systems and printers to baby monitors and children’s toys.

“IoT security needs to be taken seriously, particularly before businesses start to connect mission critical devices and systems,” he said.

Read more about the internet of things


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy