Who Knew? Even a Smart Light Bulb Can Leak Your Passwords

Many years ago, people thought that we would have flying cars by now. They were a tiny bit too optimistic with their predictions, but nevertheless, we have found other ways of making our lives a bit easier. For example, some of us are now relieved of the annoying chore of having to flick the light switch when it gets dark. We now have 'smart' lightbulbs, and we can tell them to switch themselves on automatically. We can also turn on the lights from our smartphones, without even getting up from the sofa.

In fairness, different people have (and will continue to have) different opinions on smart bulbs. Some think that they are a genuinely clever invention that adds quality to our lives. Others reckon that they are about as useful as an outrageously expensive juicer that does nothing special and is connected to the internet for reasons that can not be justified in any way.

There are a couple of things we can all agree on, though. First, smart bulbs' popularity is growing, and in light of the internet-of-things craze that everyone seems obsessed with at the moment, it will probably continue to grow. The second thing that we can all accept is the fact that any device (be it a laptop, a toaster, or indeed, a light bulb) that is connected to the internet must be secured against all manner of attacks. And the painful truth about smart light bulbs is that they simply aren't very secure.

Researchers poke holes in smart bulb's security

Limited Results is a hardware security blog that has only existed for a few months, but the person behind it has already managed to test several different internet-connected light bulbs. The results are far from encouraging.

The devices are sold by a range of different manufacturers, including Xiaomi and LIFX and were bought for anything between €15 and €30 ($17 and $34). One of the bulbs was ordered online and did not have a CE certificate. According to the researcher, strange design decisions and cheap materials turn it into a serious hazard which should not be put anywhere near electricity. This is not what the experiment was about, though.

As you probably know, the typical smart bulb set up involves downloading an app on your smartphone, establishing a connection between the phone and the bulb, and then telling it which wireless network it should connect to. The bulb saves the SSID and your Wi-Fi password and stays connected to the home network meaning that it can receive commands from the app on your phone. The researcher wanted to find out what sort of data the bulbs store and how.

The devices were broken open, and their Wi-Fi modules were retrieved. After connecting them to a computer, Limited Results found out that all bulbs stored the Wi-Fi credentials in plain text.

Other flaws were found as well, including saved encryption keys which would allow the decryption of wireless traffic. In the case of a bulb manufactured by Lyasi, Limited Results managed to reassemble the device and control it remotely without an authenticated app.

It's not exactly a shocking discovery

Limited Results' experiment reveals flaws that, admittedly, shouldn't present problems for many of the regular users that buy these devices. In the real world, this type of attack is dependent on a hacker stealing the light bulb or retrieving it from the victim's trash, which isn't a part of most people's threat model. This, however, doesn't mean that the research isn't valuable.

Ever since smart devices started becoming fashionable, experts have been trying to raise awareness around the lack of implementation of even the most basic security mechanisms. The business is growing at an explosive rate, and manufacturers are in a rush to launch the newest products with the best features at the lowest possible price. Security is falling by the wayside, and hackers are taking advantage of the growing number of woefully insecure gadgets that are flooding the internet. Although there have been one or two reasonably disruptive attacks that involved Internet of Things devices, users don't seem to be particularly concerned. Nevertheless, they have every right to know the risk and decide for themselves whether they're ready to accept it.