This Common Home Appliance Can Compromise Your Entire Security

LIFX is a smart light bulb that can be controlled with your smart phone via your home's Wi-Fi network. Turns out that anyone within range can obtain the Wi-Fi password from the light bulb. It's a problem with the communications protocol.

Posted on July 10, 2014 at 6:21 AM • 62 Comments


dandrakaJuly 10, 2014 6:31 AM

So the day has come that I have to update my lightbulb ? Is it just me, or is there anybody else who thinks this is crazy ?

Mike the goatJuly 10, 2014 6:36 AM

Yeah, it got the attention of the radio shockjocks a few days ago when Context published a piece on how they found that the mesh networking stack (802.15.4) wasn't quite as guarded as the traditional WiFi which is used to accept commands from their iPhone/iPad app to whatever bulb has been elected the master. So essentially it is just a case of a hardcoded creds in the firmware, which they were able to reverse. Interesting but unfortunately not at all that practical. What did surprise me, however, was how much money the kickstarter campaign for these devices raised. Seems people really want automated light bulbs ;-)

o/t - nwfor: have been travelling and been away from my pgp keys. Shall get back to you when home for the weekend :-).

Grant GouldJuly 10, 2014 7:33 AM

Okay, that does it. Clickbait headlines were funny for a week, but now it's time to evict this blog from my RSS reader.

What's next, clickbait titles on journal articles?

Big MikeJuly 10, 2014 7:45 AM

I do not need this light bulb and neither do any of you. Are we out of control yet?

ThomasJuly 10, 2014 7:51 AM

So the day has come that I have to update my lightbulb ?

You're assuming this will be an option.

More likely you'll be left with the old firmware and no way to upgrade it (other than replacing the units).

At least this time you know about it, and if push comes to shove you can unplug a lightbulb.

What will you do when this happens to your smart-meter? Will you even know?

What about your pacemaker?

JeffHJuly 10, 2014 7:52 AM

I'd contemplate laying money down that the engineers knew exactly what a bad idea this was, and got told by some product manager that it's not that big a deal & to get on with shipping the product. Maybe I'm just cynical.

Then again, anyone who thinks controlling anything important with their smartphone, historically not a particularly secure platform, gets what they deserve. This is the same platform, after all, that merrily backs up the WiFi password to who knows where in 'the cloud'. I'll stick with good old-fashioned switches or... maybe... just maybe... a dimmer.

Aside on the click-bait title: how many people actually own one of these lightbulbs? Clearly we need Downworthy to replace Common with Unusual & Entire with Some if the font size is above a certain value ;)

ThothJuly 10, 2014 7:59 AM

There have been many cases of readers accusing Bruce on 'Clickbait headlines' ... or maybe it's Bruce's interns writing his blog posts. Who knows.

If you have better ideas of how Bruce's blog should format it's headlines in a way approval by you guys, please post some tips here to advise Bruce's interns instead of just expressing frustration. They are interns after all and Bruce is too busy traveling and giving speeches to have time to do blog posting on his own.

Here's my shot at suggesting a better healine for this blog post:
- Wifi Light Bulb That Has Weak WiFi Security

How about your turn ?

DGMJuly 10, 2014 8:03 AM

I agree with the comments about the titles. It is not so irritating yet that I would give up on Bruce's blog. The contents of the blog still seem to be Bruce's voice. But a lot of the value for me has been in the comments and if a lot of other people abandon the blog I likely will also.

RayJuly 10, 2014 8:11 AM

Wow, people are really sensitive about the click-bait titles. To the one guy who said they were funny for a week but now it is too much -- they have only been running for four days.

In my opinion the titles are clearly satirical and I fully expect them to end next week. Even if they didn't, they would still be satirical, at least in my eyes.

Perhaps they are not satirical but an attempt to reach a wider audience using the lessons learned from heartbleed. Either way, I couldn't care less about the titles and will continue to read based on the content of the articles, because, you know, I'm not that superficial.

WinterJuly 10, 2014 8:15 AM

"Either way, I couldn't care less about the titles and will continue to read based on the content of the articles, because, you know, I'm not that superficial."


If the headlines are driving people off, then it seems to me they were not here for the content to begin with.

As they say: If you judge a book by the cover, do not read it.

ThothJuly 10, 2014 8:25 AM

The only reason people think the titles written by Bruce's interns are "Clickbait titles" probably would be because they have lots of RSS Feeds overflowing and they do not know which one to read in a rush and when they see some flashy titles, they simply click on it and I am guessing most of them are using RSS Feeds on tiny cellphone/mobile device screens and due to the screen size, every feed title takes up screen space.

Personally, I would have a list of quality content (not quality title) publishers restricting them to only the few I feel their contents are worth being added to my RSS Feeds instead of trying to add all of my feeds into a small device.

Peter BoughtonJuly 10, 2014 8:34 AM

Winter, "they" say lots of things. Mostly things which don't make sense outside of the original context, no matter how many people repeat it.

The *entire point* of a book's title and cover is to give a concise indication of what's in the book / who a book's intended audience is.

This title style is liable to change Bruce's target audience to include people who find such titles attractive. Not in itself a bad thing, if it helps educate people who wouldn't previously consider security matters, but if it also increases comments and reduces the ratio of insightful comments, it will be a shame to those that are here for that commentary as much as the content.

(And the phrases themselves are fucking annoying.)

nonneeJuly 10, 2014 8:37 AM

Hum, where`s the special message telling that triple-letters agencies or government / legal warrants aren`t bounding scheneir??? I don`t remember where they should be, on this site.

Until I find it out, I`m taking these blog headlines very seriously.

JoeJuly 10, 2014 8:37 AM

"Li-Fi, or "light fidelity", is the branding name of a "post Wi-Fi" technology, that can be a complement of RF communication (Wi-Fi or Cellular network), or a replacement in contexts of data broadcasting. Li-Fi can be also bidirectional, like Wi-Fi, as a high speed and fully networked subset of visible light communications (VLC).

It is wireless and uses visible light communication (instead of radio frequency waves), that is part of the Optical Wireless Communications technologies, which carries much more information, and has been proposed as a solution to the RF-bandwidth limitations. A complete solution includes a standardization process, as proposed by the Li-Fi Consortium."


"Fridge hacked. Car hacked. Next up, your LIGHT BULBS
So shall you languish in darkness - or under disco-style strobes - FOREVER"

RobJuly 10, 2014 8:40 AM

Agree about the clickbait concerns. Many folks use headlines to judge the articles beneath them when deciding whether or not to read (click) the article, especially in search results where sources are less obvious - this point answers some of the other responses. (And btw/imo, people who judge books by covers are the smarter ones, not the dumberer ones!)

Please allow us to continue using our judgment reliably. This issue is popping up just as I am getting used to avoiding obvious clickbait.

CallMeLateForSupperJuly 10, 2014 8:53 AM

Enough with the click-bait comments, folks. This thread is about weak security built into the LIFX bulb, a new product that, no doubt, could eventually become as ubiquitous and life-changing as the cell phone. This is important stuff and deserves our closest attention.


I think the title that Bruce ultimately committed to "paper" is not all that bad, compared to the others of this week, although its promoting the lowly lightbulb to "appliance" makes me squirm. For sure, my own best effort would have fallen far shorter of Brian Krebs' super-alliteration than Bruce's did. :-)

CallMeLateForSupperJuly 10, 2014 9:11 AM

"[...]is there anybody else who thinks [updating a lightbulb] is crazy?"

It's not just you. A cell phone-controlled light bulb is pure solution-looking-for-a-problem - something to make $$ for a seller - nothing more. That it and other IOT thingies need s/w updates is nuttiness squared. I will not allow any such specimen on my property; you too can opt out.

trogJuly 10, 2014 9:14 AM

I agree that these headlines are terrible. It seems like maintenance of this blog has been handed over to a social media "expert".

It completely disrupts the reading experience of the blog and, clearly, irritates long-time readers.

If this is indeed what has happened, I suspect that whoever is maintaining the site in Bruce's ... absense?... does not have permission to comment on this matter.

If you are reading this, mysterious headline writer/s, then please pass these comments up the chain.

IncredulousJuly 10, 2014 9:34 AM

I'm praying that the point of these headlines are revealed by next Monday. I can't see why click-thru matters to Bruce, since this site does not appear to be ad supported. If we don't hear something soon I am going to assume that it is a canary and that Bruce is telling all the serious members that they should go away for their own good.

BubblesJuly 10, 2014 9:49 AM

So is it possible to write a program to turn all lights on for 1 minute and then off for 1 minute repeatedly for a large area? Could this crash the power grid?

Mark J. BlairJuly 10, 2014 10:12 AM

The recent headlines are dreadful. They remind me of the brain-eating TV news that I quit watching several years ago. Please make it stop.

Regarding the LIFX bulbs, I can see some utility in light bulbs which work in existing fixtures and can be remotely controlled in intelligent ways. I can even see some utility in there being a WiFi gateway such that they can be controlled from the personal surveillance device -- er, I mean smart phone -- that's in my pocket much of the time anyway.

However, I gather from the LIFX web page that the features now under development and the APIs for controlling the bulbs are based on their "LIFX Cloud", which involves the bulbs communicating with the public Internet. Aside from the fact that I live in a rural area and tethering my cell phone is my only Internet access, I do not see any utility in my appliances connecting to the public Internet. Internet Protocol is fine, but I don't want or need my home appliances to communicate with anything or anybody outside my property boundary.

Using protocols layered on top of the Internet Protocol as a means to communicate with appliances can be a useful means to standardize things, but requiring appliances to phone home to a public site is firmly in my Do Not Want category.

squarooticusJuly 10, 2014 10:45 AM

Regarding the bulbs, I am one of those suckers who owns some Hue bulbs. They are expensive, but definitely neat and useful: I like being able to adjust the color temperature to suit the time of day, as well as to add some color when desired. (I still need to build a disco mode into XBMC.) Don't knock it until you've tried it.

OldFishJuly 10, 2014 10:51 AM

Isn't compromising site security the purpose of the "IOT"???

Re the article titles: How many articles per week are posted here? Compared to most of the information super garbage dump Bruce's site is low-bandwidth, high SNR. If he wants to fool around with the post titles, no harm done.

CzernoJuly 10, 2014 10:56 AM

Clickbait headlines :

This blog is Not Secure As
it may be not under Bruce's
supervision any more... :=)

the truthJuly 10, 2014 11:07 AM

Bruce, please regain management of your blog.

Without integrity you have nothing.


Laurel KrahnJuly 10, 2014 11:26 AM

I know the clickbait headlines have been going on for less than a week because I was part of the conversation where we discussed how funny it would be for "just a week." And that was this past weekend.

Banana SkinsJuly 10, 2014 11:26 AM

Seriously .. 4 days of humorous click-bait titles ... this is simply an experiment (a la Facebook style) and shall end shortly

Clive RobinsonJuly 10, 2014 11:47 AM

It's not just insecure WiFi that wories me about IoT devices like light bulbs, they can also be a threat to life....

But first as I commented on the FriSquid page, from the write up it appears that the security fault is storing secrets by use of AES, with a hardcoded key. This sort of security mistake is oh so old, back in the 1990s VNC did the same thing but using a couple of generations earlier crypto (DES, not even 3DES).

But back to "life threatening" it is a forgone certainty that bulbs like this will become fairly standard. Not all will use E27 fittings, some in the UK for instance could end up using bayonet fittings. The problem is the control has moved from the "wall face plate" switch / dimmer to the bulb. Which will remain permanently powered, especially with longer lasting bulbs and "interior designers" not being particularly saftey concious, thus changing them incautiously could be a bit of a shock if not a pain in the heart...

David LeppikJuly 10, 2014 11:58 AM

I'm pretty sure the clickbait titles are half joke, half experiment on Bruce's part. I can't imagine they'll last more than a week. Also, notice that the one post that isn't clickbait this week is his essay.

BTW, I love the new CAPTCHA. It's just unusual enough that bots won't bother to learn it, but a whole lot easier than deciphering a doodle. I used to use a similar trick ("What is the singular of octopus?") on my blog.

Clive RobinsonJuly 10, 2014 12:02 PM

Another objection I have to IoT is as a physical reality it's not environmentally friendly.

Let's assume that one of these IoT smart bulbs draws a tiny 11mW in standby that's 100W/year which might not sound to bad untill you multiply it out by four or five lights minimum per room, which is what you currently need with a lot of LED-Bulbs.

But it could be a lot worse in my"lounge" I have four light rails with four spots each for illuminating pictures, two multiple halogen bulb center fittings to illuminate main tables and lamps on side tables and reading lamps by some chairs. Unless I'm entertaining nearly all of these lights are turned off with a real switches with just a side or reading light being used when the room is in use. Now consider the thirty bulbs in this room as IoT devices that would be 3KW/year which is more than the energy efficient fridge uses...

John BeatyJuly 10, 2014 12:38 PM

The whiners are doing more to drive away good content than any headlines. Good god, don't you people have anything better to do?

Chris AbbottJuly 10, 2014 12:58 PM


Agreed. The whole IoT is ridiculous and poses a security catastrophe if all of this nonsense catches on. How many people are going to remember to update and secure light bulbs, mattresses, toilets, chairs, carpets, windows, gutters, God forbid plumbing and garbage cans, and God knows what else people think is a good idea to put on the internet...

AnuraJuly 10, 2014 1:08 PM

As a strong supporter of transhumanism, I do admit that after every new technology introduces new attack vectors with very little attention paid to security, I am a little worried about the security of the microchips that will eventually be implanted into my brain.

JeffJuly 10, 2014 1:53 PM

Regarding click-bait. Regular readers of this blog should recall that Bruce announced, upon posting his last installment of the NSA catalog, that was was going to be extremely busy (on a new book) and thus will be devoting less time to curating this blog.

No OneJuly 10, 2014 1:58 PM

RE: clickbait, etc.

I think the titles are leading to a surprise of sorts. Note the stilted syntax of this one. Also note the lack of reply on the matter, which is becoming a common complaint. Patience, and maybe an anti-emetic if needed. That's what I think.

AlexJuly 10, 2014 2:49 PM

@Clive Robinson

1) You mean "Wh/year" and "KWh/year", not "W/year" and "KW/year".

2) If you're going to have issues about them being environmentally friendly or not, what has a much larger impact than 11mW x (# of bulbs), are the environmental issues associated with the extra materials used in the electronics. Those extra materials probably took far more energy to refine and process than that 11mW standby power would ever add up to.

3) If you want another way to put things in perspective, it's like leaving incandescents on for 15 more seconds per day, or leaving a LED bulb fully on for a couple minutes per day. It would offset that standby power usage if it's smarts mean it's in it's "off" state for even just a couple minutes more per day.

whprattJuly 10, 2014 3:46 PM

In agreement with Clive Robinson here. The security gaff is both stupid and predictable, but the real sin is leaving the lights always on. I've already got too much stuff that I can't really turn off without unplugging.

You need one God bulb to do the WiFi (probably eating 2-3 Watts unless there's some incentive to optimise the hardware) and then the rest of the bulbs are using light-weight comms and 10-20 mW. Call the whole lighting array 3 watts unless you have a lot of bulbs. So the initial cost is 20-30 times Clive's estimate, but the first couple dozen bulbs are "free".

JonSJuly 10, 2014 6:20 PM

From the immediately preceeding bog (the one about Muslims being spied on):

"One final note: I just couldn't think of a headline more sensationalist than the descriptive one."

Any more questions about the blog titles?

MikeJuly 10, 2014 6:52 PM

Simple fix: Don't install a light bulb that can be controlled over your wi-fi network. Just use a light switch.

ThothJuly 10, 2014 9:29 PM

I wonder if too much connectivity and technology is doing us any good as we become more reliant on them but these new IoTs and technologies are not designed with proper security in mind until when things become a little late.

It's a pity the non-issue gets ahead of the issue...

GilgameshJuly 10, 2014 10:34 PM

Anyone who buys that kind of crap deserves to have their password stolen.

AnuraJuly 10, 2014 11:27 PM


What do you expect me to do? Hire someone to walk over to the wall? To hell with that.

In all seriousness, I don't have a reading light by my couch, and sometimes I am pinned down by cats, making it physically impossible to get up to turn on the light so I can read. I do see the use for this kind of technology. I just think we need to standardize the internet of things so that we can make sure a) you have secure protocols for exchanging data, and b) IoT devices are segregated on networks by default to mitigate the impact of their inevitable hacking

KarstenJuly 11, 2014 1:32 AM

I'm a big fan of all these gadgets and own a couple of them. But from day one they were all placed on a seperate DMZ. In the beginning I was called paranoid ... ;-)

dandrakaJuly 11, 2014 1:42 AM

@CallMeLateForSupper: "It's not just you. A cell phone-controlled light bulb is pure solution-looking-for-a-problem - something to make $$ for a seller - nothing more."

Although it's not just me, I'm baffled to find out that there are actually people that find this kind of stuff useful, or "cool", or whatever.

E.g. this morning, a colleague -a senior Oracle developer, no less- was showing me a chart of his weight, fat and BMI on an android app. The data was provided by his wifi-enabled bathroom scale (!); not sure if it was first uploaded to the cloud and back to his phone, or it's directly scale -> phone.

fajensenJuly 11, 2014 2:44 AM


It is easier to crash the grid than all that:

The power grid is *old*, many of the old control systems communicate via RF-links, analogue modems, or by injecting HF-signals on the wires. I doubt that any serious form of encryption is used, if there is, it was probably good in the 1980's with hidden back-doors so the russkies couldn't use it. It is not a challenge to the tech we can buy right off the shelf (getting the 9 kHz signalling off the 140 kV lines *could* be a challenge and the basis of some excellent LiveLeak footage ..).

Hacking aside, most of the hardware is minimally protected - there is probably an alarm on the station perimeter and doors but it will take a good while for the police or private security dude to drive maybe 50 kilometers into the forest to check it out. Once inside a station there are no interlocks or keys required for f.ex. tripping the circuit breakers manually.

There will be a password on the SCADA system ... however, SCADA generally trust the network it runs on and all the devices on that network. With physical access one could sniff the traffic for years - nobody would notice, it is just not the kind of thing operators are looking for.

To me this is a good thing. This level of "security" and nothing happens. It shows that the people who want to screw up society hardly exists and the few that do are useless twats to boot. This is as it should be. All this paranoia and focusing on imagined threats is bad for the soul.

CallMeLateForSupperJuly 11, 2014 6:15 AM

"[...] I'm baffled to find out that there are actually people that find this kind of stuff useful, or "cool", or whatever."

Don't misunderstand: I love gadgets, especially electrical/electronic ones. I also love good beer (and bock!). I drink very little beer, because I am at the stage of life where a calorie consumed is a calorie stored. I toss nearly every gadget out of the pram in short order because (1) I am difficult to amuse in the first place and (2) a cursory inspection is usually enough to nail the device as useless, dangerous, inefficient, overly expensive, silly... or some combination of these.

I believe that embracing "cool" is a Good Thing and that marrying "cool" is folly.

ZucJuly 11, 2014 10:01 AM

This is silly. First the headlines, and I simply cannot imagine Clive Robinson using the rather bizarre unit W/year in a serious conversation. Have they been replaced by bots?

SomebodyJuly 11, 2014 11:31 AM

The stand by power consumption of a LiFX bulb is 1.7W. Orders of magnitude more than Clive suggested. These are a toy.

That said there is a case for networked lights. I've worked on vehicles where we've reduced the weight by significant amounts by replacing a traditional wiring harness with networked controllers. It also reduced cost and increased reliability. In principle networked house lights offer the same advantages, although I would expect the network signals to use the power lines instead of WiFi.

whprattJuly 11, 2014 6:07 PM

1.7W is not bad, but if they are all 1.7W as opposed to 1.7W WiFi-speaking god node and many low power, low sniffing rate non WiFi slave nodes I'll be surprised and dismayed. Bonus points will be given for efficiently using the power wires as the comms channel.

Bruce SchneierJuly 12, 2014 4:59 PM

"Regarding click-bait. Regular readers of this blog should recall that Bruce announced, upon posting his last installment of the NSA catalog, that was was going to be extremely busy (on a new book) and thus will be devoting less time to curating this blog."

That is manifesting itself as fewer essays by me. I'm still maintaining approximately the same rate of posting: 1-2 a day.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.