The internet of things (IoT) has been described as creating a coming tsunami of data, as everything from toilets to microwaves get connected. But it's also a security "wave of terror" in some respects as every new connection threatens to be a portal for cybercriminals. For instance, researchers at Context Information Security have been able to expose a security weakness in that most generic of home and enterprise possessions: the lightbulb. Specifically, a Wi-Fi-enabled, energy-efficient LED light bulb that can be controlled from a smartphone.
LIFX bulbs connect to a Wi-Fi network, allowing them to be controlled using a smartphone application. In a situation where multiple bulbs are available, only one bulb will connect to the network. This "master" bulb receives commands from the app, and broadcasts them to all other bulbs over an 802.15.4 6LoWPAN wireless mesh network.
By gaining access to the master bulb, Context was able to control all connected light bulbs and expose user network configurations, which would open the door to the home or business LAN. Context researchers found that they were able to monitor packets on the mesh network and identify the specific packets that shared the encrypted network configuration among the bulbs.
The bulb manufacturer has since worked closely with Context to promptly patch the issue, which is now available as a firmware update.
The LIFX project started off on crowd funding website Kickstarter in September 2012 where it proved hugely popular, bringing in over 13 times its original funding target. However, "prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required", said Simon Walker from LIFX, in a statement on the issue.
The work by Context is part of ongoing research into the security of the emerging IoT landscape and raises some questions. "It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritized as highly as it should be in many connected devices", said Michael Jordon, research director at Context. "We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children's toys. IoT security needs to be taken seriously, particularly before businesses start to connect mission critical devices and systems."
The detailed steps of gaining access to the device involved accessing the firmware by physically interrogating the device's embedded microcontrollers to identify and understand the encryption mechanism in use. Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol, Context was able to inject packets into the mesh network, capture and decrypt the network configurations, all without any prior authentication or alerting of its presence.
"Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals", said Jordon. "In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases the vulnerabilities are fundamental to the design of the products. What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected."