Security Analysis of the LIFX Smart Light Bulb
The security is terrible:
In a very
shortlimited amount of time, three vulnerabilities have been discovered:
- Wifi credentials of the user have been recovered (stored in plaintext into the flash memory).
- No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
- Root certificate and RSA private key have been extracted.
Boing Boing post.
Sok Puppette • January 30, 2019 10:44 AM
The real vulnerability here is, of course, the idea of putting a light bulb on the Internet to begin with.
More seriously, I’m prepared to believe that there are real problems here, but the article is breathless and very light on explaining impact.
Why is it terrible if I can reflash a light bulb given physical access? I am REALLY having trouble generating any outrage over the ability to JTAG a light bulb. In fact I would prefer to be able to JTAG my own light bulbs.
A remote OTA update would be a different matter. You culd even get a Philips-style light bulb worm going. But TFA doesn’t mention whether OTA updates are possible at all. And if you had Secure Boot(TM) and all that, that still doesn’t mean I couldn’t remotely make the bulb misbehave, or brick it, by messing with intentionally mutable configuration.
Why do I care if a fixed credential, used only at installation time, is stored in plaintext in the firmware, when obviously the control app already knows it? Encrypting it wouldn’t help, and making it variable would break installation. The problem is with the whole installation flow, and there’s no commonly used flow that does better. Or is this WiFi password something else?
What does it use the cert/key for anyway? Obviously that whole approach to crypto is completely broken, and I’m prepared to care about that, but I need to know what’s actually exposed to figure out how much..