Slashdot Mirror
Hacking Internet Connected Light Bulbs
An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."
I get why I'd want to do it at home, but not why I'd pay someone else to do it. You can get arduinos or whatever around ten bucks, if you're willing to deadbug or make your own boards by one method or another you can do your own automation for pennies on the dollar. And I'd rather use a serial loop than ethernet anyway. sure, I wouldn't implement any security either, but the obscurity of a custom system that's just not on an ethernet would discourage casual attackers, which is about all I would reasonably expect to defeat anyway.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. offer some snazy new product that really isn't better than the current product
2. suck up data about the user under the guise of new cool tech features
3. ?????????????????????
4. PROFIT from the data
the key here is grabbing your data. having the ability to turn your lights on over the internet or change your home's temperature or some other useless feature for crazy OCD mental people who need total control over everything is just a cover to get hands on data about you
(disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
"Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.
Intelligent lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.
So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill? :)
Naturally, the answer depends on your values in life
Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).
(disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
"Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.
As for "intelligent" lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.
So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill? :)
Naturally, the answer depends on your values in life
Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).
No need to mess with anybody. Just read temperature sensors with home-brew receiver. It now scans the entire range and decodes multiple models of sensors. Most of the 433MHz sensors are extremely easy to decode... I see no reason why they shouldn't be. Would suck if they encrypted them. The power outlet control devices though.... why would you not encrypt that? I was able to start controlling my own 110v devices with custom receiver/transmitter in about 1 day of hacking no problem. . Should be easy to control the neighbors as well (if I were so inclined). Of course, with some elevation and more power, it would be possible to be extremely annoying. In summary, make your transmit only devices un-encrypted. Make your read/write devices encrypted.
I'm not sure how you're going to create an asthetically pleasing multi color 1,000 lumen LED that fits in a standrard lamp using a $10 controller. Plus create an app or web interface to control timing/dimming/color. If you figure it out, please post the details as I'm sure lots of folk would love to take on that project.
In the meantime, I'm thinking these look pretty neat if a little expensive since I think you'd need quite a few bulbs for the best effect.
While I presume the parent is meant to be some sort of satire, it's interesting that throughout history, slaves and then servants have generally been accepted in all these locations doing the same looking and listening. And the slaves/servants talked to each other -- they just didn't talk that much to the upper class, so what they said wasn't considered an issue.
What we're doing here is making our electronics replace those people, which is a good thing. The bad thing is that while we accept the devices in our lives, and consider their "conversation" meaningless to us, that conversation can be manipulated by anyone with some smarts and a network connection. So insead of slaves escaping or this month's maid getting fed up and moving on, you have devices that can leak all your personal information they have access to (lights tend to know when you're home) to the benefit of someone else.
Err - you're vastly missing the point.
Take a wifi antenna with moderate gain.
Now, wave it around.
If you're within 200m or so of one of these light-bulb networks, you can pretend to be a new bulb, and request the wifi login details.
You now simply tell the master bulb that you're the master bulb now, and should do all the wifi stuff (just to make very sure that no alarm bells go off).
Now, you fire up your wifi, with the MAC set to the old master bulbs MAC, and now simply login to the AP with the credentials you just downloaded.
And now, you can do whatever.
Sounds like this sort of thing could be useful in the Deaf community - have the lighting flash different colors for various alarms and notifications.
Erm, no, it doesn't. The LIFX bulbs establish a wireless RF mesh network amongst themselves. This isn't X-10.
The bulbs don't have to be on the same circuit, or technically, even in the same house.
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
That's the whole point of TFA. A lightbulb will hand out the WiFi credentials to anything impersonating another lightbulb.
No need to crack WPA, just hop into the mesh network, announce that you're a lightbulb, and the keys are handed to you.
So, your lights, thermostat, lawn-watering controller, swimming pool monitor, and eventually your TV and your refrigerator become attack surfaces that roll over just by looking at them and saying "please".
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
#1 - You're not that interesting.
#2 - Connected devices can have interesting power management solutions. It's not just adjusting the home temperature when it figures out no one's going to be home for 8 hours. What about adjusting when the fridge uses the most power during times when electricity is the cheapest? Or sending you a text message if the motion detectors go off but your car is not in the driveway/garage? Or have lights go on just after dusk (regardless of time of year) and go out at a random time between 10 and 11pm (unless motion suggests people are home)?
The upfront cost of these devices are a bit more. To be absorbed by early adopters, of course. But when the prices come down and the kinks straightened out, they can be quite useful.
OnTopic: My neighbor showed me the app he had on his phone to monitor his pool. It allowed him to monitor temperature, pH, turn the filter and heater on, etc. The installer gave it a default 4 digit passcode, which was apparently the same four digit passcode that every other installation had. Since the ID number of the pool was adjustable, my neighbor joked that he would sometimes log into random people's pools and flash their pool lights (and had others do it to him as well). Fortunately no one's raised the pool temperature to 90 degrees or something like that (yet).
Help! I'm a slashdot refugee.