Hackers find security weaknesses with the Lifx smart LED
A team of British security consultants hacked their way into a private Wi-Fi network -- using Lifx bulbs as the backdoor.
- 10 years product testing experience with the CNET Home team
A team of security experts in England recently hacked their way into a smart home's Wi-Fi network. Their inside man? The Lifx color-changing smart LED .
As first reported by LEDinside, Context, a UK-based consulting firm specializing in security, recently demonstrated an exploitable weakness within Lifx's mesh networking protocol, prompting Lifx to put out a quick firmware fix.
Initially a success on Kickstarter, Lifx smart LEDs are now available in the US, Australia, and throughout much of Europe and Asia. The bulb's stock is largely seen to be on the rise after it raised $12 million (about £7 million pounds, or just shy of AU$13 million) in Series A funding from venture capitalist firm Sequoia Capital in June, shortly before being showcased for its third-party integration into Google's Nest-centric smart home ecosystem.
In a typical Lifx setup, one bulb will automatically serve as the "master," communicating directly with your smartphone and then relaying all info to other "slave" bulbs. Context's team was able to hack their way in by posing as a new slave bulb and tricking the master bulb into sending them Wi-Fi credentials -- the last thing you want a hacker to get their hands on.
On top of that, nothing that Context did raised any red flags within the Lifx network, or on the Lifx app. There wasn't even a notification that a new bulb was asking to join the network.
The Wi-Fi credentials shared by the master bulb were encrypted, but Context's team was able to decrypt them rather easily using Lifx's own reverse-engineered firmware.
Even more alarming was the fact that the decryption protocol Lifx bulbs were using to decode these credentials was a global one. If a hacker were to get their hands on it, they'd essentially have a skeleton key capable of letting them into any network that uses Lifx bulbs.
Don't race to uninstall your smart lighting just yet, though. Context immediately informed Lifx of the vulnerability, then described the tech start-up's response as "proactive." A firmware update that claims to eliminate the problem has already been issued.
The update also instituted a new, non-global method of decryption that's based off of the specific Wi-Fi network in question. That should put an end to any skeleton key concerns.
In addition, Context admits that the hack isn't the most practical one that they've seen, since the attacker would need to be within wireless range (about 30 meters) in order to pull it off. Still, if you're a smart-lighting enthusiast with an out-of-date Lifx app, now would probably be a good time to update.