A smartphone connects wirelessly to a computerized network of cell towers. A smart light bulb is very similar, it is an internet-capable LED bulb that can be controlled remotely by a user’s smart device (such as a smartphone). Consumers are being seduced by the ability to turn up, change, or schedule the living room lights from afar, say, during the drive home.
A camp of modern technologists is hard at work making their dream of a global Internet of Things (IoT) a reality. Only smart gadgets exist in the IoT and they all talk to each other. The outdoor smart thermometer can tell the indoor smart furnace thermostat that baby, it’s cold outside, and ask it nicely to switch on the burners.
All this alleged convenience comes at a cost: privacy and data security. It would seem that most consumers have no idea how smart devices can be compromised by a skilled computer hacker.
Market analysts predict that smart light bulbs will be a hot seller this holiday season. Caveat emptor. (Let the buyer beware.)
Smart bulbs integrate with WiFi, Bluetooth, ZigBee or a proprietary connection to automate home systems. A mobile app or a building automation hub and single bulbs can be programmed to change output in a specific manner.
But these lamps are smarter than the average bulb, by far:
“The bulb’s internet connectivity makes it possible for vendors to use edge computing and equip smart bulbs with additional features like built-in cameras, built-in speakers and presence-sensing capability. Many types of smart bulbs enable the home or building manager to control brightness as well as RBG color.”
All IoT devices are attack vectors that create an exploitable opportunity for a hacker (or cracker) to gain access to a computer or network server in order to deliver a malicious payload or outcome.
In 2014, researchers from Context Information Security were able to steal a network’s password at a 30-meter distance from the targeted LIFX-brand smart bulb:
“By gaining access to a ‘master bulb’ in LIFX deployments, they could control all connected lightbulbs and expose user network configurations.”
The Context crackers (lawful hackers) figured out how to mimic the behavior of a bulb requesting WiFi credentials from the master bulb. But sensitive information transmitted between bulbs was encrypted – so they broke that security code. After a couple more techy steps, the data experts were able to fool the master bulb into sharing network secrets with the new (fake) bulb in town:
“Armed with that knowledge and an understanding of the mesh network protocol, the researchers were finally in a position to “hack” the LIFX installation: injecting packets into the mesh network to obtain the WiFi credentials, then decrypting the credentials without any notice of their presence or malicious actions.”
If you want to thwart a hacker it helps to think like a hacker, as one self-styled frugal student documented while hacking his new WiFi lights:
What can a hacker do?
They can turn all the lights on and off or just change the colors. We are speaking of millions of sold units.
They can see all emails linked to those light bulbs/rgb [red-green-blue] controllers.
They can see when you timed your lights to go on or off. Maybe see when a specific user leaves his house or has his house in vacation mode?
They can further exploit it…
Frugal Student (FS) purchased a $20 smart light bulb and an RGB led strip controller for $8 so he could turn his lights on using his phone. But he remembered the October 2016 DDoS (denial of service attack) that disrupted much of America’s internet service, provoking tech experts such as David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, to caution:
“We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it. The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible. Imagine what a well-resourced state actor could do with insecure IoT devices.”
FS decided to test “how unsafe” IoT devices really were, wondering how simple it would be for a student like him to hack a light bulb (or maybe even all light bulbs of a company)?
Much geekiness later, FS was able to bypass all sorts of security measures and take control of any light bulb without breaching into the vendor’s network. The student pointed out that IoT devices are everywhere and many go undetected by the user. That doesn’t mean that all is well:
“The problem, however, is that these IoT devices are made by hardware manufacturers that do not really care about cybersecurity. A light bulb like this may not be able to inflict a lot of damage apart from energy bills, probable fire hazards and stealth burglary — but from the moment these devices get smarter and smarter they have more possibilities to exploit them.”
The bottom line is that hacking into all commercial IoT devices sold by a single company is well within the grasp of a frugal student — which, according to him, “is kind of worrying.”