This smart light bulb could leak your Wi-Fi password

LIFX smart bulbs contained vulnerabilities which could be exploited with a little ingenuity and the help of a hacksaw.

A researcher has disclosed a set of vulnerabilities which could be exploited to steal Wi-Fi passwords belonging to LIFX smart lighting owners.

This week, a hacker going under the name "LimitedResults" revealed how smart LIFX lighting bulbs could be compromised to access everything from Wi-Fi credentials to root certificates.

LimitedResults used the LIFX mini white as a test product, a $15.99 device which can be controlled via smartphone to change the temperature and dimness levels of lighting at home.

After installing the bulb's accompanying app on an Android device and setting up the Wi-Fi connection, the researcher grabbed a saw to hack his way into the hardware within.

After exposing the innards of the bulb and wiping away fireproof paste, the hacker found that the main component of the bulb is an ESP32D0WDQ6 system-on-chip (SoC) manufactured by Espressif.

See also: Apple pulls the plug on Facebook's internal iOS apps

It didn't take long to solder a few pins to a board in order to connect to the LIFX hardware, and after this link was established, LimitedResults found that Wi-Fi credentials were stored in plaintext within the flash memory.

"A simple research into the binary file flash.bin using a hex editor or even string|grep command is enough to retrieve the Wi-Fi credentials," the hacker said.

The second security issue that LimitedResults found was the overall lack of security measures set in place to protect the bulb's hardware. The researcher was unable to find any secure boot, flash encryption, or any attempt to disable JTAG, a system used for debugging and testing Internet of Things (IoT) and embedded devices.

CNET: Colleges reportedly drop Huawei equipment to appease Trump administration

The worst security issue impacting the LIFX product, however, was to come. LimitedResults realized that the root certificate of the device and RSA private key were both made available in the light bulb's firmware.

"I decided to stop the investigation after that," the hacker said.

The vulnerabilities, which do require physical access to exploit, were first found in May 2018. LIFX failed to answer queries requesting a PGP key to disclose the findings for four months, and so a standard email was then sent by the researcher on 3 October. LIFX acknowledged the report a day later and requested a 150-day public disclosure deadline.

A 90-day disclosure timeline was then agreed upon.

TechRepublic: Why you should use a Managed Security Service Provider instead of in-house security

LIFX says the "moderate to high severity" vulnerabilities have all been addressed in automatic firmware updates released at the end of 2018. A spokesperson from the company said that the vulnerabilities were an "oversight" and leftovers from the development stage before internal systems were deemed acceptable for large-scale use.

"All sensitive information stored in the firmware is now encrypted and we have introduced extra security settings in the hardware," the company says. "Customers can obtain the firmware update by opening their LIFX app and a firmware update prompt will be shown if they haven't already updated their lights."

Previous and related coverage