Feeds

Fridge hacked. Car hacked. Next up, your LIGHT BULBS

So shall you languish in darkness - or under disco-style strobes - FOREVER

Choosing a cloud hosting partner with confidence

Those convinced that the emerging Internet of Things (IoT) will become a hackers' playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs.

Researchers at Context Information Security discovered that LED light bulbs from manufacturer LIFX - which are designed to be controlled from a smartphone - have security weaknesses. By gaining access to the master bulb, Context was able to control all connected lightbulbs and expose user network configurations.

Context worked with LIFX to develop a patch for the security bug before releasing a fix in the form of a firmware update. Simon Walker from LIFX stated: “Prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required.”

Details of the vulnerability and the subsequent fix can in Context's advisory (summarised below)

The LIFX bulb was launched in September 2012 with crowd funding through the Kickstarter website. The architecture, based on the 802.15.4 6LoWPAN wireless mesh network, requires only one bulb to be connected to the Wi-Fi at a time. Context researchers found that they were able to monitor packets on the mesh network and identify the specific packets which shared the encrypted network configuration among the bulbs.

The detailed steps of gaining access to the device involved accessing the firmware by physically interrogating the device’s embedded microcontrollers to identify and understand the encryption mechanism in use. Armed with knowledge of the encryption algorithm, key, initialisation vector and an understanding of the mesh network protocol, Context was able to inject packets into the mesh network, capture and decrypt the network configurations, all without any prior authentication or alerting of its presence.

The fix, developed with the help of Context, is included in the new firmware and now encrypts all 6LoWPAN traffic, using an encryption key derived from the Wi-Fi credentials. It also includes functionality for secure ‘on-boarding’ of new bulbs on to the network.

Context's find is part of its ongoing research into the security of the Internet of Things (IoT) - which includes parking meters, internet-enabled fridges and much more besides. Many of these components are being put together with little thought for basic security precautions, according to Context.

“It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context. “We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys." ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.