LIFX HomeKit bulbs appear to be storing Wi-Fi passwords unencrypted
A hardware hacker has revealed a trio of vulnerabilities in the popular LIFX HomeKit-enabled smart bulbs, that could expose a user's Wi-Fi password to somebody devoted to rooting through your trash.
Limited Results took a hacksaw to the LIFX Mini white smart bulb to gain direct access to the logic board of the bulb. After removing a copious amount of fireproof paste, the researcher was able to interface directly with the primary board.
Once connected, and after a very short amount of time, the researcher was able to uncover a trio of flaws. Primarily, the Wi-Fi credentials are stored in plain text within the bulbs firmware. Using a hex editor, the WPA2 key can be found stored as ASCII encoded plain text.
LIFX Efuses content
There is no security on the firmware itself, with the researcher unable to locate secure boot features, flash encryption, or JTAG disabling -- all leaving the device open to intrusion with physical access. Furthermore, both the RSA private key and the root certificate are present in the firmware and in plain text allowing for relatively easy extraction.
Anyone who has some basic electrical and programming knowledge, and has access to the bulb either functional or broken would be able to extract this information. It isn't a trivial extraction, but the fact that the credentials for the Wi-Fi network and RSA keys are being stored unencrypted is problematic from a security standpoint.
LIFX bulbs are arguably some of the best HomeKit bulbs on the market with a wide range of features unique from other bulbs. They also connect directly to Wi-Fi and don't rely on any gateway or hub to operate.
The bulb must be directly accessed -- and destroyed -- for this information to be gleaned. Then, hackers will only have access to your Wi-Fi credentials and still be unable to access or control your HomeKit devices.
Limited Results sent the information to LIFX in May of 2018, though they didn't receive a response until October. The security researcher then agreed to give LIFX 90 days before disclosing the vulnerability, which ended with Wednesday's public release.
It is still unknown whether LIFX has released an appropriate patch to address the vulnerabilities. AppleInsider has reached out to LIFX for comment, and will update when and if a response is received.
At this time AppleInsider suggests that you keep using any LIFX installation you may have as there does not appear to be a remote exploit at this time, but keep dead bulbs in your possession until LIFX issues guidance on the matter.
Update
LIFX has responded to AppleInsider stating how they addressed the concerns outlined in the original report. See our updated article for further details.
Limited Results took a hacksaw to the LIFX Mini white smart bulb to gain direct access to the logic board of the bulb. After removing a copious amount of fireproof paste, the researcher was able to interface directly with the primary board.
Once connected, and after a very short amount of time, the researcher was able to uncover a trio of flaws. Primarily, the Wi-Fi credentials are stored in plain text within the bulbs firmware. Using a hex editor, the WPA2 key can be found stored as ASCII encoded plain text.
LIFX Efuses content
There is no security on the firmware itself, with the researcher unable to locate secure boot features, flash encryption, or JTAG disabling -- all leaving the device open to intrusion with physical access. Furthermore, both the RSA private key and the root certificate are present in the firmware and in plain text allowing for relatively easy extraction.
Anyone who has some basic electrical and programming knowledge, and has access to the bulb either functional or broken would be able to extract this information. It isn't a trivial extraction, but the fact that the credentials for the Wi-Fi network and RSA keys are being stored unencrypted is problematic from a security standpoint.
LIFX bulbs are arguably some of the best HomeKit bulbs on the market with a wide range of features unique from other bulbs. They also connect directly to Wi-Fi and don't rely on any gateway or hub to operate.
The bulb must be directly accessed -- and destroyed -- for this information to be gleaned. Then, hackers will only have access to your Wi-Fi credentials and still be unable to access or control your HomeKit devices.
Limited Results sent the information to LIFX in May of 2018, though they didn't receive a response until October. The security researcher then agreed to give LIFX 90 days before disclosing the vulnerability, which ended with Wednesday's public release.
It is still unknown whether LIFX has released an appropriate patch to address the vulnerabilities. AppleInsider has reached out to LIFX for comment, and will update when and if a response is received.
At this time AppleInsider suggests that you keep using any LIFX installation you may have as there does not appear to be a remote exploit at this time, but keep dead bulbs in your possession until LIFX issues guidance on the matter.
Update
LIFX has responded to AppleInsider stating how they addressed the concerns outlined in the original report. See our updated article for further details.
Comments
Never mind, I expect Huawei has some excellent security options available. /s
None of which are being experienced by me upon seeing this story.
Like several people already said: the fact that we have data-unsecured lightbulbs, and that we need lightbulbs to be made data-secure, is surreal.
Another pathological technology obsession.
1. Break into house.
2. Get bulb.
3. Hack bulb.
4. Get access to network via WiFi.
5. Can’t control your HomeKit stuff.
OR
1. Break into house.
2. Plug in Ethernet cable onto router or hub.
3. Get access to network.
If the person is already in your house, I doubt Network access is going to be your biggest issue. This hack is interesting but I don’t think it’s a big security issue. I guess hacked bulbs could be used by spooks in someway.
Zigbee has its own flaws - https://www.asmag.com/showpost/26444.aspx although that's a little harder to exploit. Basically, Zigbee is what's called promiscuous pairing - the bulbs are always ready to pair by default, you press a button on the Hue bridge, and they pair. Which leaves the bulbs potentially (although not very practically) vulnerable, as detailed in the link above.
Think a little about the "no charge account" for remote access. Every time someone is running and maintaining cloud services, they have a cost. Who is paying for that, and where does that money come from? And, if you have remote access through a cloud service, who else could have access? The Hue system isn't bad, but I would say if you were concerned about security, you have to decide whose cloud and remote control you trust in. HomeKit does remote access by using a Home Hub (appleTV, homepod, ipad) and secures it with your iCloud account, which is encrypted.
At least where I’m at, I consider WiFi almost equivalent to the public internet, security must be enforced at the individual device level (NAS, computer, printers, etc.)
If someone having access to the WiFi password creates more of an issue than stolen bandwidth, you have much bigger security issues than these bulbs.