
Discarded smart lightbulbs reveal your WiFi passwords, stored in the clear - duck
https://boingboing.net/2019/01/29/fiat-lux.html
======
sleepybrett
Anyone who recovers my discarded lightbulb from the dump, JTAGs it and pulls
my wifi name and password, does all the work to track down where my wifi
network is in the city serviced by that particular dump, parks outside my
place and joins my wifi can have anything they can get off my network.

~~~
tobtoh
Why would I go to the dump? If I was targeting you, I would just be searching
your trash and come across your bulbs that way. Your wifi network would be
pretty easy to find given it would be in the vicinity of the trash bin.

~~~
sleepybrett
Ok so let's pretend I have a 10 led smartbulbs in my house ( future state,
most people have less than 10 ). Let's say their mean time to failure is a six
months ( I think this is significantly lowballed ). That means there will be 1
lightbulb in the trash on average every two to three weeks. This number is
highly unrealistic but whatever.

So you are going to have to dig through my trash (assuming curbside (it isn't)
two to three times to find a blub.

My door lock is easier to compromise. Just walk in and walk out with my
server.

Fact of the matter is, if you are the target of someone, there are better
ways... and if this is just an opportunistic guy that got some lightbulbs off
the back of an e-cycler truck and one of them happens to be mine. He can have
whatever he can find on my network.

TL;DR: The lock on your front door is easier to exploit, and the lock on your
back door is probably even worse.

~~~
microtherion
The Hollywood exploit would be to take out the light bulb with a BB gun
through an open window, and then go through the trash THAT night.

~~~
vxNsr
or cause a power surge blowing the bulb out.

------
antsar
LIFX claims[0] they have addressed this as follows:

#1: WiFi credentials are now encrypted

#2: We have introduced new security settings in the hardware

#3: Root certificate and RSA private key is now encrypted

Can anyone ELI5 how #1 is even possible (in a meaningful way)? Doesn't the
bulb need to decrypt this to connect to WiFi? Doesn't it need the key for
decryption? And doesn't it have nowhere except onboard storage to retrieve
that key from, since it isn't yet connected to WiFi? In that case, this "fix"
would have no value besides PR. Am I missing something?

[0] [https://www.lifx.com/pages/privacy-
security](https://www.lifx.com/pages/privacy-security)

~~~
kevin_nisbet
It sounds like security theatre to me, however, there are a number of things
that can be done to make it fairly difficult but not impossible to dump from
an embedded device.

IIRC, many embedded processors have a sort of secure enclave, that allows
encryption of small amounts of data. The key is basically baked into the CPU,
so if someone just takes the flash out of the device and tries to read it
somewhere else, the file will need the CPU to be decrypted. I think mostly
this is obsolete encryption, but that doesn't necessarily mean it's trivial to
break.

Some vendors also embed secrets in their software, to "encrypt" on disk. This
doesn't tend to be real security, but does add the barrier that someone needs
to go through the software to find the hardcoded keys.

Shipping hardware should also have things like the JTAG and debug pins
disabled, this makes it a lot harder to memory dump the in-memory state or get
the device to load a custom image that would export the unencrypted keys in
memory.

So, there are barriers that can be placed, that does make attacking the
hardware harder and out of reach of unsophisticated attacks, but nothing is
perfect. In my experience and from what I've heard from the community, it's
safer to assume meaningful security measures haven't been taken by the
vendors, even if they say they really care about security. Many of the
barriers will be like you suggested, encrypted on disk, with the decryption
key also on disk.

~~~
jdietrich
_IIRC, many embedded processors have a sort of secure enclave, that allows
encryption of small amounts of data. The key is basically baked into the CPU,
so if someone just takes the flash out of the device and tries to read it
somewhere else, the file will need the CPU to be decrypted. I think mostly
this is obsolete encryption, but that doesn 't necessarily mean it's trivial
to break._

This would be the sensible implementation, but I doubt that LiFX have used a
suitable (and more expensive) MCU.

[https://www.digikey.com/en/articles/techzone/2015/apr/securi...](https://www.digikey.com/en/articles/techzone/2015/apr/security-
is-the-key-to-success-for-mcu-based-iot-applications)

------
grendelt
Don't use smart bulbs. Bulbs burn out. Use smart sockets and "dumb" bulbs.
Don't put disposable things on your network.

~~~
sleepybrett
Most, if not all, smart bulbs are LED bulbs

LED bulbs have very long lives.

If you want to use an RGB bulb or one of those bulbs that has adjustable white
temperature, a smart socket isn't going to support that.

~~~
EpicEng
>LED bulbs have very long lives.

Then why am I constantly replacing them? Wait, I know why; because I buy the
cheaper ones, which have inadequate thermal solutions and God knows what
quality of LED.

You may say "well don't buy the cheap ones", but people will, and they'll
always be available. Even more affluent people who hook their lights up to
their network will still often chose the cheaper version. Even the high end
versions will fail, and you end up with the same problem.

~~~
jfk13
Yeah - my experience with LED bulbs has been quite variable. Some "name-brand"
ones from a European manufacturer seem to be lasting well so far, but I've
also had a batch of lower-cost ones (with, supposedly, a 5-year guarantee)
where the failure rate within 6 months was something like 50%.

"LED bulbs have very long lives" is an overly optimistic generalisation, in my
experience.

~~~
Ptlnd
"LED bulbs with very long lives" would be pretty useless. What they don't tell
you about LEDs is that their efficiency goes down the drain over time, they
become so dark as to become unusable. I have a few 3 to 5 years old bulbs,
which I still haven't discarded but kept in the closest as a "emergency bulb
if one of the bulbs I use break", I replaced them despite them being still
fully operational because they became too dark. Way too dark. This is an issue
with LCD TV and monitors too. After a while their LED backlights become really
dark. Push your new monitor at max brightness and compare the old with its max
brightness and even if they were rated at equal nits the newer one is much
brighter.

All those bulbs I have are the namebrand that do reliably work for years, but
I would not want to use them for years. I feel like I might just buy the
cheapest bulbs the next time, and not care if they die after 6 months. 6
months might be the maximum amount of time they can give you their brightest.

~~~
jfk13
But if they -- at least "quality" brand LEDs -- don't have really long
(useful) lives, the cost premium over other types of light bulbs looks much
less justifiable.

(For reference, according to
[http://www.lighting.philips.com/main/support/support/faqs/li...](http://www.lighting.philips.com/main/support/support/faqs/life-
and-light-output/why-is-the-life-of-leds-measured-as-lumen-depreciation), "The
normal convention is to measure the life from when the output has reduced by
30%, i.e. when there is 70% light output remaining.")

------
jfultz
I put all untrustworthy devices on my guest WiFi. My game consoles, e-readers,
streaming devices, and Internet appliances don't need access to my privileged
network, and they don't need access to each other. And if I were so inclined
to buy smart bulbs, they'd get the same treatment.

And, yeah, my guest WiFi password is kind of secret, but I routinely give it
out to people who I only casually trust.

------
slezyr
[http://www.commitstrip.com/en/2019/02/04/open-
door/](http://www.commitstrip.com/en/2019/02/04/open-door/)

~~~
WrtCdEvrydy
I wonder if commitstrip will become the 'there's an XKCD for that'

~~~
simongr3dal
There are currently 1148 commitstrips and 2117 xkcds, so the chances are
looking pretty good.

------
adsadadsad
This aint a big issue. You dont have full disk encryption on a lightbulb so of
course the wifi password is going to be recoverable. I often find it funny
when asking for the wifi password in some places in asia when staff insist on
entering it themselves so you dont tell freeloaders or chinese, the network
manager prompt confuses them briefly but they continue, but then I turn around
and say ah so coffee2019 was that difficult to communicate - shock. Even on
windows it's a mere powershell command away

~~~
exabrial
I've literally had this happen while I was in both Singapore and Beijing.
Quite humorous.

------
JasonFruit
What's a smart lightbulb for? I'm not playing dumb; I really can't think of a
time when I thought, "I wish I could communicate with my lightbulbs when I was
away," or, "I wonder what my lightbulbs are up to tonight!". Some of these IOT
innovations sound like they're looking for a problem.

~~~
acuozzo
> What's a smart lightbulb for?

I own two LIFX bulbs and they're in reading lamps on each side of my bed. I
program them to turn on at 8AM to help me wake up.

I also get to use my iPhone as a light switch since I don't have one
conveniently located near the door.

Over time I've found that I enjoy going to bed with them configured to a blue
color and dimmed to about 60%.

Finally, I enjoy configuring them to the favorite color of my romantic partner
when he/she comes over for the first time.

~~~
btreecat
>Over time I've found that I enjoy going to bed with them configured to a blue
color and dimmed to about 60%.

Interesting given the research and trend towards red light at night.

[https://www.health.harvard.edu/staying-healthy/blue-light-
ha...](https://www.health.harvard.edu/staying-healthy/blue-light-has-a-dark-
side)

~~~
acuozzo
I was put to sleep with a TV on as a young child and I currently sleep with
both lights and a TV on, so I'm sure I'm far from the norm.

------
JoshTriplett
(Reposting this from elsewhere in the thread.)

Ideally, when you try to connect a new device to your network, an existing
device with "network administrator" privileges (e.g. a computer) would get
asked "do you want Philips Hue Smart Bulb Controller (printed ID x7a39q) to
connect to your network?", and if you say "yes" on that device, the new device
would get a unique asymmetric key pair. When setting up a brand new network,
you could either enter something printed on the router or scan a QR code.

And then you could have a button to revoke a device's credentials (showing
recently disconnected devices first), and a button to revoke the credentials
of every device not currently on the network.

~~~
zokier
I had this idea at some point few years ago of auto-provisioning WPA2-EAP
credentials for guest users, with network admin confirmation. Too bad it
didn't really progress much beyond few flowcharts and weekend on getting
confused with RADIUS. But I think the central concept is still workable, and
aligns pretty well with what you are proposing here.

Of course in IoT context there is the little problem that all the crappy
devices are unlikely to support EAP, but that is another story.

------
PaulHoule
Phillips Hue doesn't have this problem because it uses Z Wave and not WiFi.

You do need the hub, but the attack surface is reduced, the basic bulbs are
cheaper, etc. There probably is key material in the bulb, but who wants to
impersonate a light that can only exchange simple binary (no strings to parse)
messages with the bridge?

~~~
b1r6
I thought they were ZigBee, and integration with Z-Wave controllers was
through Philips' web services?

[https://www.quora.com/Is-Phillips-Hue-hub-compatible-
with-Z-...](https://www.quora.com/Is-Phillips-Hue-hub-compatible-with-Z-wave-
devices)

But I would say in general, Z-Wave doesn't have as much of this problem.
Especially if we're talking Z-Wave Plus devices, which most coming out today
are. Even better if they have the S2 security!

~~~
PaulHoule
You are right, it is ZigBee.

------
tialaramex
So, a reasonable person (maybe not from here) would ask themselves why the
lightbulb has a secret password to access the Network. After all we want the
Network to be ubiquitous, so why is there a password anyway? If there wasn't a
password then bad guys couldn't find out what it is. (You may think, aha - but
with ubiquitous access they wouldn't need to, but as we saw for SSH shared
passwords mean that getting a password may be _more_ not less valuable than
access to the thing it was protecting).

It turns out that besides the stupid sociological reasons (which also result
in us trying to make it impossible to sleep on a park bench rather than
providing people with homes so that they won't _need_ to sleep on a park
bench) there's a technical reason, and maybe that we can fix.

WiFi (802.11) has traditionally been plaintext out of the box. So every
participant can see everything sent and received by every other participant.
If you have a password this isn't so. Thus, a WiFi network plus a billboard
announcing the WiFi password to everyone in the neighbourhood is actually
slightly _more_ secure than one with no password at all.

Finally in WPA3 this is fixed, participants with passwords use a PAKE but
everybody without a password gets OWE (RFC8110) to secure their network
access. Since they don't have a way any way to authenticate they can be MITM'd
of course, but you can't just passively decrypt everything they're sending and
receiving. So a WPA3 era WiFi network that's "open" to everybody is protected
better than your WPA2 PSK "ThanksMike" password for Mike's Coffee Shop.

~~~
JoshTriplett
A reasonable person might also ask why the lightbulb has the same password to
access the network that everything else does.

Ideally, when you try to connect a new device to your network, an existing
device with "network administrator" privileges (e.g. a computer) would get
asked "do you want Philips Hue Smart Bulb Controller (printed ID x7a39q) to
connect to your network?", and if you say "yes" on that device, the new device
would get a unique asymmetric key pair. When setting up a brand new network,
you could either enter something printed on the router or scan a QR code.

And then you could have a button to revoke a device's credentials (showing
recently disconnected devices first), and a button to revoke the credentials
of every device not currently on the network.

~~~
heywire
Maybe the next iteration of WPS will move in this direction (and with less
vulnerabilities)

------
heavymark
I think I remember Lifx mentioning in a Feburary post they fixed this back in
2018: [https://www.lifx.com/pages/privacy-
security](https://www.lifx.com/pages/privacy-security). But yes, I assume most
all the non-apple/google built devices in ones home have many weaknesses
notably dumb devices like washer and dryers. If someone has physical access to
your home and your get rid of any devices that haven't been wiped, your
security can be compromised if someone with the knowledge wants too. Hopefully
people stay on companies to help uncover these one by one.

------
ams6110
My solution is simple. No "smart devices" on my WiFi network. I haven't seen
one that does anything useful.

~~~
moate
What about "being used as part of a bot-net to perform DDoS attacks/other
abuses"? That isn't frequently advertised, but that feature is useful to
someone right?

------
thefounder
Did anyone expect more from these devices? It like expecting privacy from
virtual assistants.

~~~
fwip
Forgive me if I'm being naive, but what's the alternative to storing the wifi
password?

If the lightbulb encrypts the password for storage, it necessarily also stores
the decryption. An attacker would just have to take one extra step.

I guess what I'm saying is, doesn't this apply to any device you save any
password in? (And don't need a password to log in on reboot).

Edit: Thanks for all the info in the replies!

~~~
CharlesColeman
> If the lightbulb encrypts the password for storage, it necessarily also
> stores the decryption. An attacker would just have to take one extra step.

Yeah, but they could use some kind of secure enclave to make it much more
difficult. Like having the bulb query the enclave with a securely hashed
version of each available SSID until the enclave returns a password. That
would at least make it non-trivial to get the password or figure out what
network it connects to without some prior knowledge. That's valuable since it
would prevent someone from buying an old bulb then wardriving to find the
network that it's credentials work for.

Also it would be good to have some kind of secure reset physical button, to
make it as easy as possible to clear any private data before the bulb is
discarded.

Neither of these ideas would help secure your network against exploitation of
an actively-used bulb, but they'd help with the discarded-bulb case.

~~~
baddox
I don’t get it. The bulb would have to be able to query the enclave, so the
attacker can just have it do that and see what the enclave returns. The
enclave in devices like iPhones are effective because they require external
input (like a passcode or face/fingerprint scan). A lightbulb conveniently
doesn’t require that every time it turns on.

~~~
CharlesColeman
I edited my comment, but the idea was to increase the amount of foreknowledge
required to extract something useful. It won't be perfect, but it's better
than just storing the SSID/password in cleartext (or encrypted with an easily-
extracted on-device key). The device wouldn't tell the attacker what he needed
to know to find the network the password works for if he didn't already know
it.

Edit: another commenter linked [https://wigle.net/](https://wigle.net/), which
could make it _extremely easy_ for an attacker to find the network to exploit
if the device stores the SSID in cleartext. My idea would help make that a lot
harder, especially if the enclave rate-limits requests.

------
close04
Why not post the link to the original article?
[https://limitedresults.com/2019/01/pwn-the-lifx-mini-
white/](https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/)

The comments there also shed some light on how they can be improved.

~~~
e12e
I mean, that wifi password is available is obvious. But wonder if this'll
allow third part firmware updates? (it'saa little unclear what the cert is
for) :

"Vulnerability n*3: Root certificate and RSA private key extracted

Root certificate and RSA private key are present into the firmware and are
used to connect to LIFX cloud."

Then again, without any security at all, maybe firmware isn't signed at all
anyway..

------
evolvedlight
It's nice that they've tried to improve by providing a GPG public key on their
new page [0], however it links to a non-https page to download it:
[http://hosted.lifx.co/security/lifx_pgp_public.asc](http://hosted.lifx.co/security/lifx_pgp_public.asc).
I'm not sure they are actually taking this seriously.

[0] [https://www.lifx.com/pages/privacy-
security](https://www.lifx.com/pages/privacy-security)

------
kilo_bravo_3
>No security settings. The device is completely open (no secure boot, no debug
interface disabled, no flash encryption).

If LIFX had enabled secure boot, disabled the debug interface, and encrypted
the boot flash storage, we would be reading an article about how consumers no
longer owned their devices and how they were being abused by a corporate
behemoth trying to derive them of their right to repair and tinker through
DRM.

You know this, I know this, and I know that you know that I know that you know
this.

------
a-wu
Does anyone know if Bluetooth bulbs are safer in this regard? I have a couple
Sylvania Bluetooth bulbs instead of wifi bulbs because I'm concerned about
wifi bulbs being on my network, and I figure you need proximity to operate a
Bluetooth bulb.

------
adam12
This is almost as bad as Spectrum telling me the wifi password that I set.

I'm sure some customers use the same password for the email they gave
Spectrum.

------
taternuts
I have a cheap smart lightbulb that works over bluetooth perfectly. Not sure
why you'd have to involve your WiFi in this at all.

------
merb
actually my smart bulb needs to be reconfigured if there wasn't power for some
amount of time. I guess it will delete data on boot since a normal power down
for 5 minutes won't clear the data, which still makes it accessible if
somebody knows how to extract the data without triggering the kill.

------
jbob2000
Why would you WiFi connect a disposable lightbulb when it makes far more sense
to connect the switch?

~~~
bufferout
Why would you connect the switch when it makes far more sense to have software
controlled relays controlling each circuit at the fuse box?

------
coldacid
Disappointed but not surprised.

------
orthecreedence
I mean, derr.

Come on. Buy a wifi switch/socket, not a wifi light bulb.

