Hacking Internet Connected Light Bulbs

← Back to Stories (view on slashdot.org)

Hacking Internet Connected Light Bulbs

Posted by Soulskill on Friday July 4, 2014 @09:15AM from the not-a-bright-idea dept.

An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."

39 of 63 comments (clear)

Min score:

Reason:

Sort:

Borg Home by ArcadeMan · 2014-07-04 09:16 · Score: 1

Just don't do it.

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:Borg Home by axlash · 2014-07-04 09:21 · Score: 1
  
  I get that large industrial/office complexes might want to automate/regulate lighting, but why would you want to do this for your home?
  Looks like overkill to me.
  
  --
  Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
2. Re:Borg Home by drinkypoo · 2014-07-04 09:34 · Score: 2
  
  I get why I'd want to do it at home, but not why I'd pay someone else to do it. You can get arduinos or whatever around ten bucks, if you're willing to deadbug or make your own boards by one method or another you can do your own automation for pennies on the dollar. And I'd rather use a serial loop than ethernet anyway. sure, I wouldn't implement any security either, but the obscurity of a custom system that's just not on an ethernet would discourage casual attackers, which is about all I would reasonably expect to defeat anyway.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Borg Home by SuperTechnoNerd · 2014-07-04 09:34 · Score: 1
  
  Sounds like dumb, sorry smart grid technology :)
4. Re:Borg Home by GNious · 2014-07-04 09:52 · Score: 5, Insightful
  
  (disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
  "Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
  Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.
  Intelligent lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.
  So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill?
  Naturally, the answer depends on your values in life :)
  Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).
5. Re:Borg Home by GNious · 2014-07-04 09:55 · Score: 3, Interesting
  
  (disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
  "Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
  Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.
  As for "intelligent" lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.
  So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill?
  Naturally, the answer depends on your values in life :)
  Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).
6. Re:Borg Home by Albanach · 2014-07-04 10:02 · Score: 2
  
  I get why I'd want to do it at home, but not why I'd pay someone else to do it
  I'm not sure how you're going to create an asthetically pleasing multi color 1,000 lumen LED that fits in a standrard lamp using a $10 controller. Plus create an app or web interface to control timing/dimming/color. If you figure it out, please post the details as I'm sure lots of folk would love to take on that project.
  In the meantime, I'm thinking these look pretty neat if a little expensive since I think you'd need quite a few bulbs for the best effect.
7. Re:Borg Home by Stan92057 · 2014-07-04 10:28 · Score: 1
  
  Knowing what I know using theses internet connected devices are a really really bad idea. Not because they are useless but because we have far too many bad people tiring to game the system, and steal from everyone they can. Including Corporations "GoogleThinking its there god given right to gain access to our most private of places our home. Stay out your not wanted so me im using thumb power to turn my utility's on and off tvm :)
  
  --
  Jack of all trades,master of none
8. Re:Borg Home by drinkypoo · 2014-07-04 10:48 · Score: 1
  
  I'm not sure how you're going to create an asthetically pleasing multi color 1,000 lumen LED that fits in a standrard lamp using a $10 controller.
  I'm talking about the automation, not the lighting itself. And I don't care if it fits into a standard lamp if I make the modifications myself
  
  In the meantime, I'm thinking these look pretty neat if a little expensive
  They're a lot expensive. And insecure.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:Borg Home by Stan92057 · 2014-07-04 10:49 · Score: 1
  
  I really question the savings the device will need 24/7 internet connection, constant monitoring. That costs money that was not being used before. we need to be finding things that don't use anymore unreplenishable recourses like coal, oil. Now a device that doesn't have to connect to the internet would be a much more cost saving device. the non internet device can be charged by solar. But in not saying people shouldn't use it if they can afforded it sure use it but I think they are not saving anything in the long run only burning more oil IMO
  
  --
  Jack of all trades,master of none
10. Re:Borg Home by antdude · 2014-07-04 11:03 · Score: 1
  
  "Just do it." --Nike Borgs
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
11. Re:Borg Home by axlash · 2014-07-04 13:11 · Score: 1
  
  I'm being very specific here - I'm referring to internet controlled home lighting. If all I care about is switching on/off lights, it is overkill.
  I can't say I'm too hot ('scuse the pun) on remote controlled heating either; I'd need to see significant savings before I was tempted to invest in that.
  Of course, if this is all about having fun while engaging in a home project, that's another story altogether.
  
  --
  Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
12. Re:Borg Home by matria · 2014-07-04 13:58 · Score: 2
  
  Sounds like this sort of thing could be useful in the Deaf community - have the lighting flash different colors for various alarms and notifications.
13. Re: Borg Home by LocutusOfBorg1 · 2014-07-04 15:49 · Score: 1
  
  Resistance is futile.
14. Re:Borg Home by FawdNoor · 2014-07-04 17:59 · Score: 1
  
  In this Website you can get information about the Social Bookmarking and SEO and other Hub of SEO. And that are the Hub of SEO, Social Bookmarking, Classified ads, Guest blog and other SEO related information you can get here.
  Thanks........
  Social BookMarking site
15. Re:Borg Home by AmiMoJo · 2014-07-04 21:26 · Score: 1
  
  It's sad that we are a long way behind on home automation in the west. The Japanese have had this stuff for years now, and it works well.
  For example many air conditioning units can be linked via wifi for remove control. When you are 5 minutes from home your phone notifies the air-con to turn on max and be ready for your arrival, at which point it can turn right down to avoid giving you the chills. The air-con itself has a sensor that makes sure it directs cold air away from you when you are in the room.
  You can get cameras for your front door that use wifi to talk to your phone. When someone rings the doorbell an image of them pops up on your phone. If you are out you can chat to them, e.g. to tell them to deliver a package to a neighbour or hide it somewhere.
  Phone/internet controlled baths are available too. You can arrive home to a waiting hot tub of water, or just fill it and get a notification when it's ready. Some robot vacuum cleaners have wifi too, and will send you pictures of stuff they find under the sofa. Sharp's Cocorobo has a speaker too so you can drive to around remotely and talk to your pets while away from home. I have to admit that last function may not be terribly useful.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
16. Re: Borg Home by caveqat101 · 2014-07-05 00:55 · Score: 1
  
  Sorry about this comment, think of what else may be built into the common light bulb,and realize the security and privacy implications. Then think of the recent miniaturizations that have been put forward,with the higher input voltages,what else needs to be available for low level spying.
17. Re:Borg Home by uninformedLuddite · 2014-07-05 14:07 · Score: 1
  
  Once you have invested in all these 'cool' technologies it is a given that the government will link them up with smart metering and control your shit. All for the benefit of the children. Probably Honduran ones.
  
  --
  The new right fascists are bilingual. They speak English and Bullshit.
Dodged a bullet! by mariox19 · 2014-07-04 09:20 · Score: 1

Imagine if Pinky and the Brain had possessed such capabilities! They could not have been stopped.

--
quiquid id est, timeo puellas et oscula dantes.
Really? by CaptainDork · 2014-07-04 09:30 · Score: 1

At least they didn't have to drill a hole through the roof.

--
It little behooves the best of us to comment on the rest of us.
Re:Could these light bulbs contain cameras? by Anonymous Coward · 2014-07-04 09:37 · Score: 2, Insightful

1. offer some snazy new product that really isn't better than the current product
2. suck up data about the user under the guise of new cool tech features
3. ?????????????????????
4. PROFIT from the data
the key here is grabbing your data. having the ability to turn your lights on over the internet or change your home's temperature or some other useless feature for crazy OCD mental people who need total control over everything is just a cover to get hands on data about you
I just read my neighbors sensors for now. by Anonymous Coward · 2014-07-04 09:57 · Score: 2, Interesting

No need to mess with anybody. Just read temperature sensors with home-brew receiver. It now scans the entire range and decodes multiple models of sensors. Most of the 433MHz sensors are extremely easy to decode... I see no reason why they shouldn't be. Would suck if they encrypted them. The power outlet control devices though.... why would you not encrypt that? I was able to start controlling my own 110v devices with custom receiver/transmitter in about 1 day of hacking no problem. . Should be easy to control the neighbors as well (if I were so inclined). Of course, with some elevation and more power, it would be possible to be extremely annoying. In summary, make your transmit only devices un-encrypted. Make your read/write devices encrypted.
Re:Wireless stupidity by Joe_Dragon · 2014-07-04 10:11 · Score: 1

data signal between them depends on the quality of the electrical wiring itself. On top of that, improper wiring and circuit breakers can also negatively affect the performance.
Re:Is the Internet of Things going to watch me nak by Em+Adespoton · 2014-07-04 10:28 · Score: 2

While I presume the parent is meant to be some sort of satire, it's interesting that throughout history, slaves and then servants have generally been accepted in all these locations doing the same looking and listening. And the slaves/servants talked to each other -- they just didn't talk that much to the upper class, so what they said wasn't considered an issue.
What we're doing here is making our electronics replace those people, which is a good thing. The bad thing is that while we accept the devices in our lives, and consider their "conversation" meaningless to us, that conversation can be manipulated by anyone with some smarts and a network connection. So insead of slaves escaping or this month's maid getting fed up and moving on, you have devices that can leak all your personal information they have access to (lights tend to know when you're home) to the benefit of someone else.
Reasons why I don't like the Internet of Things. by Anonymous Coward · 2014-07-04 10:33 · Score: 1, Funny

Here's a list of reasons why I don't like the Internet of Things:
1) Internet of Things devices could watch me while I sleep.
2) Internet of Things devices could watch me while I pee.
3) Internet of Things devices could watch me while I make kaka.
4) Internet of Things devices could watch me while I pleasure myself.
5) Internet of Things devices could watch me while I wash my body in the shower.
6) Internet of Things devices could watch me while I relax in the tub.
7) Internet of Things devices could watch me while I brush my teeth.
8) Internet of Things devices could watch me while I make passionate love to my wife.
9) Internet of Things devices could watch me while I brush my hair.
10) Internet of Things devices could watch me while I read a book.
11) Internet of Things devices could watch me while I read Slashdot.
12) Internet of Things devices could watch me while I bake cake.
13) Internet of Things devices could watch me while I put in my contact lenses.
14) Internet of Things devices could watch me while I get ready to play golf.
15) Internet of Things devices could watch me while I do my laundry.
16) Internet of Things devices could watch me while I think about rugby.
17) Internet of Things devices could watch me while I tie my shoes.
18) Internet of Things devices could watch me while I celebrate the 4th of July.
19) Internet of Things devices could watch me while I water my flowers.
20) Internet of Things devices could watch me while I eat ham.
21) Internet of Things devices could watch me while I use my stapler to staple documents.
22) Internet of Things devices could watch me while I chew bubble gum.
23) Internet of Things devices could watch me while I check the oil in my car.
24) Internet of Things devices could watch me while I look for my TV remote.
25) Internet of Things devices could watch me while I blow my nose.
26) Internet of Things devices could watch me while I rearrange my stamp collection.
27) Internet of Things devices could watch me while I listen to the Backstreet Boys.
28) Internet of Things devices could watch me while I do my calisthenics.
29) Internet of Things devices could watch me while I search for a paper clip.
30) Internet of Things devices could send information about me to advertisers.
31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.
32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.
33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.
34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.
35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.
36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.
37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.
38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.
39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.
40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.
41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.
42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.
43) Internet of Things devices could let advertisers use the data unsuspectingly coll
Re:Why cares? by queazocotal · 2014-07-04 10:55 · Score: 2

Err - you're vastly missing the point.
Take a wifi antenna with moderate gain.
Now, wave it around.
If you're within 200m or so of one of these light-bulb networks, you can pretend to be a new bulb, and request the wifi login details.
You now simply tell the master bulb that you're the master bulb now, and should do all the wifi stuff (just to make very sure that no alarm bells go off).
Now, you fire up your wifi, with the MAC set to the old master bulbs MAC, and now simply login to the AP with the credentials you just downloaded.
And now, you can do whatever.
Re:Could these light bulbs contain cameras? by westlake · 2014-07-04 10:56 · Score: 1

I would not want some advertising company to watch me while I'm in the shower, or while I'm urinating or defecating.
Then don't mount a security camera in your bathroom.
Unless you have a legally defensible reason for doing so, such as the care of a physically frail parent or grandparent.
Relay Based Electric Lights by Anonymous Coward · 2014-07-04 11:11 · Score: 1

I recall visiting a house in the 1950s that had all the light switchs connected to a relay bank in the basement. (low voltage to the switches). This meant for example that you could push the right switch and turn every light in the house on at once. Of course this had to be done when the house was being built. The home was owned by a GE employee. Here is a link to parts for that kind of system: http://www.kyleswitchplates.com/ge-low-voltage-relays-transformers/
So all you have really done is changed from dedicated wiring to using the internet. (and some more options). Note that this system did not really catch on. GE now just sells similar units for offices and factories where one switch can turn on a whole floor of lights using relays.
So its just a more up to date version of an old system (I suspect you could find similar systems in the 1920s as well)
Big Bang Theory by volmtech · 2014-07-04 11:53 · Score: 1

And no one remembers the episode of the Big Bang Theory where the guys did just that and let hackers control their lights and remote control cars?
1. Re:Big Bang Theory by jones_supa · 2014-07-04 19:52 · Score: 1
  
  :D
Re:Reasons why I don't like the Internet of Things by Anonymous Coward · 2014-07-04 14:08 · Score: 1

data unsuspectingly collected about me while I listen to the Backstreet Boys.
Your list all seemed like normal stuff until I got to that one.
Now I see what you have to hide. You should be ashamed.
Re:Wireless stupidity by RealGene · 2014-07-04 16:31 · Score: 2

Erm, no, it doesn't. The LIFX bulbs establish a wireless RF mesh network amongst themselves. This isn't X-10.
The bulbs don't have to be on the same circuit, or technically, even in the same house.

--
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
Re:Nonsense by RealGene · 2014-07-04 16:40 · Score: 4, Informative

That's the whole point of TFA. A lightbulb will hand out the WiFi credentials to anything impersonating another lightbulb.
No need to crack WPA, just hop into the mesh network, announce that you're a lightbulb, and the keys are handed to you.
So, your lights, thermostat, lawn-watering controller, swimming pool monitor, and eventually your TV and your refrigerator become attack surfaces that roll over just by looking at them and saying "please".

--
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
Re:Reasons why I don't like the Internet of Things by NemoinSpace · 2014-07-04 18:08 · Score: 1

Internet of Things devices could watch me while I

type the same phrase over and over, but could have copy/pasted if i really understood the internet of things.
Re: Reasons why I don't like the Internet of Thing by jones_supa · 2014-07-04 19:44 · Score: 1

The way it works is that they bundle a cool app to go with the product, which needs some server-side work to process your data.
This creates them a nice trojan horse to carry your data to be datamined.
If the app is convenient enough to use, it quickly trumps most people's concerns of privacy.
Re:lightbulbs? by jones_supa · 2014-07-04 19:54 · Score: 1

They are actually connected to the Internet. The lights can be controlled through a smartphone. The bulbs use WiFi instead of Ethernet.
Re:Reasons why I don't like the Internet of Things by MMC+Monster · 2014-07-04 23:04 · Score: 3, Insightful

#1 - You're not that interesting.
#2 - Connected devices can have interesting power management solutions. It's not just adjusting the home temperature when it figures out no one's going to be home for 8 hours. What about adjusting when the fridge uses the most power during times when electricity is the cheapest? Or sending you a text message if the motion detectors go off but your car is not in the driveway/garage? Or have lights go on just after dusk (regardless of time of year) and go out at a random time between 10 and 11pm (unless motion suggests people are home)?
The upfront cost of these devices are a bit more. To be absorbed by early adopters, of course. But when the prices come down and the kinks straightened out, they can be quite useful.
OnTopic: My neighbor showed me the app he had on his phone to monitor his pool. It allowed him to monitor temperature, pH, turn the filter and heater on, etc. The installer gave it a default 4 digit passcode, which was apparently the same four digit passcode that every other installation had. Since the ID number of the pool was adjustable, my neighbor joked that he would sometimes log into random people's pools and flash their pool lights (and had others do it to him as well). Fortunately no one's raised the pool temperature to 90 degrees or something like that (yet).

--
Help! I'm a slashdot refugee.
Re:Technology changes fast, fast, FAST! by uninformedLuddite · 2014-07-05 14:12 · Score: 1

while he sits in his mother's basement watching me as a wash my groin in the shower.
People actually wash their groins?

--
The new right fascists are bilingual. They speak English and Bullshit.
Re:Nonsense by RealGene · 2014-07-06 03:45 · Score: 1

Because that would require planning for, designing, and implementing security as a first principle, rather than just making sure the phone app has pretty glowing buttons.
I'm not saying that these things must be insecure, just that most of them currently are insecure.

--
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.