LIFX HomeKit bulbs appear to be storing Wi-Fi passwords unencrypted

Posted:
in General Discussion edited January 31
A hardware hacker has revealed a trio of vulnerabilities in the popular LIFX HomeKit-enabled smart bulbs, that could expose a user's Wi-Fi password to somebody devoted to rooting through your trash.




Limited Results took a hacksaw to the LIFX Mini white smart bulb to gain direct access to the logic board of the bulb. After removing a copious amount of fireproof paste, the researcher was able to interface directly with the primary board.

Once connected, and after a very short amount of time, the researcher was able to uncover a trio of flaws. Primarily, the Wi-Fi credentials are stored in plain text within the bulbs firmware. Using a hex editor, the WPA2 key can be found stored as ASCII encoded plain text.

LIFX Efuses content
LIFX Efuses content


There is no security on the firmware itself, with the researcher unable to locate secure boot features, flash encryption, or JTAG disabling -- all leaving the device open to intrusion with physical access. Furthermore, both the RSA private key and the root certificate are present in the firmware and in plain text allowing for relatively easy extraction.

Anyone who has some basic electrical and programming knowledge, and has access to the bulb either functional or broken would be able to extract this information. It isn't a trivial extraction, but the fact that the credentials for the Wi-Fi network and RSA keys are being stored unencrypted is problematic from a security standpoint.

LIFX bulbs are arguably some of the best HomeKit bulbs on the market with a wide range of features unique from other bulbs. They also connect directly to Wi-Fi and don't rely on any gateway or hub to operate.




The bulb must be directly accessed -- and destroyed -- for this information to be gleaned. Then, hackers will only have access to your Wi-Fi credentials and still be unable to access or control your HomeKit devices.

Limited Results sent the information to LIFX in May of 2018, though they didn't receive a response until October. The security researcher then agreed to give LIFX 90 days before disclosing the vulnerability, which ended with Wednesday's public release.

It is still unknown whether LIFX has released an appropriate patch to address the vulnerabilities. AppleInsider has reached out to LIFX for comment, and will update when and if a response is received.

At this time AppleInsider suggests that you keep using any LIFX installation you may have as there does not appear to be a remote exploit at this time, but keep dead bulbs in your possession until LIFX issues guidance on the matter.

Update

LIFX has responded to AppleInsider stating how they addressed the concerns outlined in the original report. See our updated article for further details.
«1

Comments

  • Reply 1 of 24
    sflocalsflocal Posts: 4,436member
    Outside of Apple, there is simply no trust I have for these 3rd-party companies that sell these IoT devices.  They put zero thought into security.  If anything, it's an afterthought. The engineers are probably just some outsourced, overseas shop that have zero clue how to actually code quality software.
    racerhomie3magman1979agilealtitudecornchipwatto_cobra
  • Reply 2 of 24
    I actually have a problem with articles listing details of how to break in to a device and network. It puts owners of these devices in more danger than beforehand because know anyone can perform the procedure. 
    watto_cobra
  • Reply 3 of 24
    Mike WuertheleMike Wuerthele Posts: 4,209administrator
    genovelle said:
    I actually have a problem with articles listing details of how to break in to a device and network. It puts owners of these devices in more danger than beforehand because know anyone can perform the procedure. 
    I have more of a problem with companies that sit on the information for six months and don't do anything about it. For now, the countermeasure is to not throw away your bulbs, which we discussed.
    edited January 30 racerhomie3bdonovanwdysamoriamagman1979lolliverStrangeDaysagilealtitudewatto_cobra
  • Reply 4 of 24
    neilmneilm Posts: 574member
    Shock, horror! Internet of Things insecure!

    Never mind, I expect Huawei has some excellent security options available. /s
    racerhomie3dysamoriamagman1979cornchipwatto_cobra
  • Reply 5 of 24
    MplsPMplsP Posts: 1,115member
    So I read this article and think 'why, in God's name you need a lightbulb to be wifi connected, much less storing passwords?' If I want to dim a lightbulb, I'll put a dimmer switch on and buy a $4 bulb from Target or Home Depot
    dysamoria
  • Reply 6 of 24
    If one had said ten years ago that WiFi bulb stores passwords it would be as if someone ran away from mental institution and needs quick attention.
    edited January 30 dysamoriawatto_cobra
  • Reply 7 of 24
    maltzmaltz Posts: 125member
    Um, how is it supposed to access your WiFi network without storing the password somewhere?  I mean, sure it could encrypt it, but then it would have to store the encryption key, too, rendering the encryption useless.  Consumer WiFi doesn't support things like authentication tokens that can be revoked.

    IMO, this is a more general warning to think about what information is stored in IoT devices that you're throwing away.  Few enough people think to wipe their computers and phones before disposing of them, much less a light bulb.
    watto_cobra
  • Reply 8 of 24
    So a good lesson to learn here is to factory reset any lifx bulb that you get rid of or destroy inoperative ones. Outside of that, I don't see this physical hack as a threat at all since one has to physically be in the house and steal the bulb. If that person is already in your house you have bigger issues than just a wifi password.
    lolliverwatto_cobra
  • Reply 9 of 24
    It's a perfectly valid story for this website. However I think there are 5 brands of Homekit-enabled light bulbs (some not yet on the market) that don't require hubs, how do the other brands handle this problem? 
    watto_cobra
  • Reply 10 of 24
    dysamoriadysamoria Posts: 1,958member
    Shock. Awe. Surprise.

    None of which are being experienced by me upon seeing this story.

    Like several people already said: the fact that we have data-unsecured lightbulbs, and that we need lightbulbs to be made data-secure, is surreal.

    Another pathological technology obsession. 
    potatoleeksoup
  • Reply 11 of 24
    It's a perfectly valid story for this website. However I think there are 5 brands of Homekit-enabled light bulbs (some not yet on the market) that don't require hubs, how do the other brands handle this problem? 
    Funny you should ask. Have been using the Phillips Hue system for 3 years. To verify one aspect of the system I just got of the phone with their excellent customer support. Phillips uses a Hub based system to prevent privacy issues from happening. The Hub connects via Ethernet connection to your router. Your device connects via WiFi to the Hub and it Is the your devices that provides the security. The Hub uses a self generated wifi signal (like Air Drop) system to connect to the closest bulb then the mesh system takes over to connect to remaining bulbs. You can also log into a no charge account to remotely control and check the lights. I’am not a engineer or teckie  person so this is a laymen’s explanation of how the system works. What I’am is a very satisfied user of a terrific IoT lighting system. Yes it is a pricey system The bulbs can be found $3-$7 less than the list price with promotions. The Hub package with a few bundled bulbs is a good value entry point into the Hue ecosystem. The system works, worth the investment, add to the system as needed, a terrific app UI with periodic software updates and firmware updates to Hub and to individual bulbs. HomeKitb compatible. “Hey Siri” turn on my reading lights. ‘Hey Siri’ turn on my television lights. The system also works with 3rd party apps. I have my lights 🚦set to flash the Patriots 🏈 colors everytime they score this Sunday. 
    colinngwatto_cobra
  • Reply 12 of 24
    It's a perfectly valid story for this website. However I think there are 5 brands of Homekit-enabled light bulbs (some not yet on the market) that don't require hubs, how do the other brands handle this problem? 
    One more piece of useful information that my nephew who is into IT work and uses the Hue system, provided me and I quote: “I think the name of the technology that hue uses to create it’s own mesh network is Zigbee. This is why bulbs can go unreachable even if there is a WiFi signal available in an area. I’ve used bulbs and accessories to extend the network to areas that were unreachable like the driveway and basement. I haven’t done it but I’ve read that you can use non-Hue devices that also use Zigbee to extend the mesh network for the Hue devices. Zigbee isn’t a Philips technology. I think it’s Samsung technology.“
    colinng
  • Reply 13 of 24
    dysamoria said:
    Another pathological technology obsession. 
    Hey, I resemble that remark!
    edited January 30
  • Reply 14 of 24
    “The bulb must be directly accessed -- and destroyed -- for this information to be gleaned. Then, hackers will only have access to your Wi-Fi credentials and still be unable to access or control your HomeKit devices.”

    1. Break into house.
    2. Get bulb.
    3. Hack bulb.
    4. Get access to network via WiFi.
    5. Can’t control your HomeKit stuff.

    OR
    1. Break into house.
    2. Plug in Ethernet cable onto router or hub.
    3. Get access to network.

    If the person is already in your house, I doubt Network access is going to be your biggest issue. This hack is interesting but I don’t think it’s a big security issue. I guess hacked bulbs could be used by spooks in someway.
  • Reply 15 of 24
    MplsP said:
    So I read this article and think 'why, in God's name you need a lightbulb to be wifi connected, much less storing passwords?' If I want to dim a lightbulb, I'll put a dimmer switch on and buy a $4 bulb from Target or Home Depot
    Then you’re missing out on a lot of value. My entire house runs on scenes based on the sun and time of time, as well as ad hoc voice commands and, yes, physical switches/dimmers. They work together and do more. 
  • Reply 16 of 24
    Foaming SolventFoaming Solvent Posts: 1unconfirmed, member
    Put your IoT devices on a guest network.
    colinngbeowulfschmidt
  • Reply 17 of 24
    vmarksvmarks Posts: 652editor
    iOS_Guy80 said:
    It's a perfectly valid story for this website. However I think there are 5 brands of Homekit-enabled light bulbs (some not yet on the market) that don't require hubs, how do the other brands handle this problem? 
    Funny you should ask. Have been using the Phillips Hue system for 3 years. To verify one aspect of the system I just got of the phone with their excellent customer support. Phillips uses a Hub based system to prevent privacy issues from happening. The Hub connects via Ethernet connection to your router. Your device connects via WiFi to the Hub and it Is the your devices that provides the security. The Hub uses a self generated wifi signal (like Air Drop) system to connect to the closest bulb then the mesh system takes over to connect to remaining bulbs. You can also log into a no charge account to remotely control and check the lights. I’am not a engineer or teckie  person so this is a laymen’s explanation of how the system works. What I’am is a very satisfied user of a terrific IoT lighting system. Yes it is a pricey system The bulbs can be found $3-$7 less than the list price with promotions. The Hub package with a few bundled bulbs is a good value entry point into the Hue ecosystem. The system works, worth the investment, add to the system as needed, a terrific app UI with periodic software updates and firmware updates to Hub and to individual bulbs. HomeKitb compatible. “Hey Siri” turn on my reading lights. ‘Hey Siri’ turn on my television lights. The system also works with 3rd party apps. I have my lights 🚦set to flash the Patriots 🏈 colors everytime they score this Sunday. 
    Hue does not use a "self-generated wifi signal". They use Zigbee. Zigbee is a low-cost, low data rate mesh network (each device extends the reach of the network, messages for a device at the ends of the network pass through all the nodes in the middle on their way to the intended device). Wi-Fi, even in an ad-hoc (self-generated) system, is a hub-spoke system, normally. Zigbee tends to be cheaper than Wi-Fi, require less computing power in each bulb, and uses less power. Samsung's SmartThings relies on Zigbee and Zwave, for example. Lots of home automation devices use it, because it's been around forever, is cheap, and has low power requirements. But it has very little in the way of security, compared to Homekit's implementation.

    Zigbee has its own flaws - https://www.asmag.com/showpost/26444.aspx although that's a little harder to exploit. Basically, Zigbee is what's called promiscuous pairing - the bulbs are always ready to pair by default, you press a button on the Hue bridge, and they pair. Which leaves the bulbs potentially (although not very practically) vulnerable, as detailed in the link above. 

    Think a little about the "no charge account" for remote access. Every time someone is running and maintaining cloud services, they have a cost. Who is paying for that, and where does that money come from? And, if you have remote access through a cloud service, who else could have access? The Hue system isn't bad, but I would say if you were concerned about security, you have to decide whose cloud and remote control you trust in. HomeKit does remote access by using a Home Hub (appleTV, homepod, ipad) and secures it with your iCloud account, which is encrypted. 
  • Reply 18 of 24
    Good gravy. If someone goes through THIS much trouble to get my Wi-Fi password, they've EARNED access to it! :smile: 
    cornchipmaltz
  • Reply 19 of 24
    hagarhagar Posts: 107member
    Why would you throw a LIFX light bulb in the trash? It’s electronics so should be recycled. It’s 2019. 
    cornchip
  • Reply 20 of 24
    rcfarcfa Posts: 752member
    WiFi access doesn’t buy much, particularly if you use the router to limit which MAC addresses are allowed access.

    At least where I’m at, I consider WiFi almost equivalent to the public internet, security must be enforced at the individual device level (NAS, computer, printers, etc.)

    If someone having access to the WiFi password creates more of an issue than stolen bandwidth, you have much bigger security issues than these bulbs.
    cornchip
Sign In or Register to comment.