In under an hour, security researcher, LimitedResults, was able to hack into the smart light bulb LIFX mini white and take control of the device.
The lightbulb contained a chip which LimitedResults connected to access the bulb’s hardware. Access was gained to the user’s Wi-fi’s credentials, which was in plaintext on the bulb’s memory. These credentials in the wrong hands can compromise the user’s whole network as well as their data. This is especially where they share data over unencrypted websites.
Ability to take over the device
By extracting the private encryption key from the bulb’s memory, LimitedResults successfully gained control. This demonstrated the ability an individual has to be able to compromise the security of data of a user of the device. A hacker has the ability to steal data with the credentials obtained from this vulnerability. In addition, they can write data over the user’s device and add malicious content.
LIFX did not appear to learn from the past. In 2014 the same thing happened, where researchers were able to gain access onto a private wi-fi network using a similar tactic.
Implications of the lack of security on IoT devices
This issue arises around a time where the security environment of IoT has shown serious flaws in devices. Symantec carried out its own test on unnamed lights in December. It found the app used to control the lightbulb was sending unencrypted requests over the internet to the backend of the cloud. This granted easy unauthorised access into the network’s traffic. This can lead to hackers sniffing this data and brute-forcing hashed passwords.
Symantec also discovered it had poor password management capabilities as it did not allow for it to be changed once set. Symantec could then remotely control the lightbulb itself. In this case, it cannot cause physical harm. If this was another appliance like the cardiac device from St Jude Medical, it can result in much worst. The cardiac device monitors and controls patients’ heart functions. In 2017 the US Food and Drug Administration reported findings that hackers could administer incorrect pacing or shocks through the defibrillators and pacemakers once gaining access to the device. It was also found that hackers could, in fact, hack into these devices. Attacks in cyberspace are harmful to data and privacy, but the chances of the attacks physically killing someone is nearly non-existent. However, with security undermined in IoT devices, it opens up the ability for this to happen in extreme cases.
More reading on IoT flaws can be found in the Japanese Government to “Pen Test” Citizen’s IoT Devices Ahead of Olympics article.
IoT devices are undoubtedly playing an important part in society and adds real value to service and operations today. IoT developers and providers need to do more to ensure security. Implementing encryption is something that should be happening by default.
Users can maintain security by changing default passwords and using a range of characters to strengthen it.
LIFX have since remediated these flaws by implementing encryption on devices including the private key.