Forgot your password?
typodupeerror
Security Hardware Hacking Network The Internet

Hacking Internet Connected Light Bulbs 63

Posted by Soulskill
from the not-a-bright-idea dept.
An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."
This discussion has been archived. No new comments can be posted.

Hacking Internet Connected Light Bulbs

Comments Filter:
  • Just don't do it.

    • by axlash (960838)

      I get that large industrial/office complexes might want to automate/regulate lighting, but why would you want to do this for your home?

      Looks like overkill to me.

      • by drinkypoo (153816)

        I get why I'd want to do it at home, but not why I'd pay someone else to do it. You can get arduinos or whatever around ten bucks, if you're willing to deadbug or make your own boards by one method or another you can do your own automation for pennies on the dollar. And I'd rather use a serial loop than ethernet anyway. sure, I wouldn't implement any security either, but the obscurity of a custom system that's just not on an ethernet would discourage casual attackers, which is about all I would reasonably e

        • by Albanach (527650)

          I get why I'd want to do it at home, but not why I'd pay someone else to do it

          I'm not sure how you're going to create an asthetically pleasing multi color 1,000 lumen LED that fits in a standrard lamp using a $10 controller. Plus create an app or web interface to control timing/dimming/color. If you figure it out, please post the details as I'm sure lots of folk would love to take on that project.

          In the meantime, I'm thinking these look pretty neat if a little expensive since I think you'd need quite a few

          • by drinkypoo (153816)

            I'm not sure how you're going to create an asthetically pleasing multi color 1,000 lumen LED that fits in a standrard lamp using a $10 controller.

            I'm talking about the automation, not the lighting itself. And I don't care if it fits into a standard lamp if I make the modifications myself

            In the meantime, I'm thinking these look pretty neat if a little expensive

            They're a lot expensive. And insecure.

      • Sounds like dumb, sorry smart grid technology :)
        • Sorry about this comment, think of what else may be built into the common light bulb,and realize the security and privacy implications. Then think of the recent miniaturizations that have been put forward,with the higher input voltages,what else needs to be available for low level spying.
      • Re:Borg Home (Score:5, Insightful)

        by GNious (953874) on Friday July 04, 2014 @05:52PM (#47385609)

        (disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
        "Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
        Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.

        Intelligent lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.

        So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill?
        Naturally, the answer depends on your values in life :)

        Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).

        • by Anonymous Coward

          Here's a list of reasons why I don't like the Internet of Things:

          1) Internet of Things devices could watch me while I sleep.

          2) Internet of Things devices could watch me while I pee.

          3) Internet of Things devices could watch me while I make kaka.

          4) Internet of Things devices could watch me while I pleasure myself.

          5) Internet of Things devices could watch me while I wash my body in the shower.

          6) Internet of Things devices could watch me while I relax in the tub.

          7) Internet of Things devices could watch me whil

          • by Anonymous Coward

            data unsuspectingly collected about me while I listen to the Backstreet Boys.

            Your list all seemed like normal stuff until I got to that one.

            Now I see what you have to hide. You should be ashamed.

          • Internet of Things devices could watch me while I

            type the same phrase over and over, but could have copy/pasted if i really understood the internet of things.

          • by MMC Monster (602931) on Saturday July 05, 2014 @07:04AM (#47387553)

            #1 - You're not that interesting.

            #2 - Connected devices can have interesting power management solutions. It's not just adjusting the home temperature when it figures out no one's going to be home for 8 hours. What about adjusting when the fridge uses the most power during times when electricity is the cheapest? Or sending you a text message if the motion detectors go off but your car is not in the driveway/garage? Or have lights go on just after dusk (regardless of time of year) and go out at a random time between 10 and 11pm (unless motion suggests people are home)?

            The upfront cost of these devices are a bit more. To be absorbed by early adopters, of course. But when the prices come down and the kinks straightened out, they can be quite useful.

            OnTopic: My neighbor showed me the app he had on his phone to monitor his pool. It allowed him to monitor temperature, pH, turn the filter and heater on, etc. The installer gave it a default 4 digit passcode, which was apparently the same four digit passcode that every other installation had. Since the ID number of the pool was adjustable, my neighbor joked that he would sometimes log into random people's pools and flash their pool lights (and had others do it to him as well). Fortunately no one's raised the pool temperature to 90 degrees or something like that (yet).

        • by axlash (960838)

          I'm being very specific here - I'm referring to internet controlled home lighting. If all I care about is switching on/off lights, it is overkill.

          I can't say I'm too hot ('scuse the pun) on remote controlled heating either; I'd need to see significant savings before I was tempted to invest in that.

          Of course, if this is all about having fun while engaging in a home project, that's another story altogether.

          • Once you have invested in all these 'cool' technologies it is a given that the government will link them up with smart metering and control your shit. All for the benefit of the children. Probably Honduran ones.
        • by AmiMoJo (196126) *

          It's sad that we are a long way behind on home automation in the west. The Japanese have had this stuff for years now, and it works well.

          For example many air conditioning units can be linked via wifi for remove control. When you are 5 minutes from home your phone notifies the air-con to turn on max and be ready for your arrival, at which point it can turn right down to avoid giving you the chills. The air-con itself has a sensor that makes sure it directs cold air away from you when you are in the room.

          You

      • Re:Borg Home (Score:4, Interesting)

        by GNious (953874) on Friday July 04, 2014 @05:55PM (#47385621)

        (disclosure: I own LIFX lightbulbs, and wrote an app that controls them)
        "Smart-home" stuff is, currently, mostly toys - you have them for doing stuff that you largely don't need to do.
        Some Smart-home stuff is able to go beyond the toy-stage, like intelligent control of heating, remote monitoring etc, where they can serve specific, valuable purposes.

        As for "intelligent" lightbulbs? Mine are able to entertain the kids for 20 minutes (let them go amok with the app), while I worked on making my phone advice me of SMSes and emails via a brief colour-change to a bulb; this is still in the toys-stage, but slowly starts serving a purpose.

        So, in view of you stating it is overkill, I'd ask whether saving on your heating bill is overkill, or whether having fun with setting lighting-levels and -colours is overkill?
        Naturally, the answer depends on your values in life :)

        Note: My latest suggestion for use of Smart-home equipment was to mix a LIFX lightbulb with a Doorbot (doorbell with camera and wifi), to alert a deaf person of the doorbell being used, by sending visual cues via the lightbulbs (specific colour-change).

        • by Stan92057 (737634)
          I really question the savings the device will need 24/7 internet connection, constant monitoring. That costs money that was not being used before. we need to be finding things that don't use anymore unreplenishable recourses like coal, oil. Now a device that doesn't have to connect to the internet would be a much more cost saving device. the non internet device can be charged by solar. But in not saying people shouldn't use it if they can afforded it sure use it but I think they are not saving anything in
        • by matria (157464)

          Sounds like this sort of thing could be useful in the Deaf community - have the lighting flash different colors for various alarms and notifications.

        • In this Website you can get information about the Social Bookmarking and SEO and other Hub of SEO. And that are the Hub of SEO, Social Bookmarking, Classified ads, Guest blog and other SEO related information you can get here.
          Thanks........

            Social BookMarking site [inworldmarket.com]

      • by Stan92057 (737634)
        Knowing what I know using theses internet connected devices are a really really bad idea. Not because they are useless but because we have far too many bad people tiring to game the system, and steal from everyone they can. Including Corporations "GoogleThinking its there god given right to gain access to our most private of places our home. Stay out your not wanted so me im using thumb power to turn my utility's on and off tvm :)
    • by antdude (79039)

      "Just do it." --Nike Borgs

    • Resistance is futile.
  • Imagine if Pinky and the Brain had possessed such capabilities! They could not have been stopped. [youtube.com]

  • At least they didn't have to drill a hole through the roof.

  • by Anonymous Coward

    No need to mess with anybody. Just read temperature sensors with home-brew receiver. It now scans the entire range and decodes multiple models of sensors. Most of the 433MHz sensors are extremely easy to decode... I see no reason why they shouldn't be. Would suck if they encrypted them. The power outlet control devices though.... why would you not encrypt that? I was able to start controlling my own 110v devices with custom receiver/transmitter in about 1 day of hacking no problem. . Should be e

  • by Anonymous Coward

    I recall visiting a house in the 1950s that had all the light switchs connected to a relay bank in the basement. (low voltage to the switches). This meant for example that you could push the right switch and turn every light in the house on at once. Of course this had to be done when the house was being built. The home was owned by a GE employee. Here is a link to parts for that kind of system: http://www.kyleswitchplates.com/ge-low-voltage-relays-transformers/

    So all you have really done is changed from ded

  • And no one remembers the episode of the Big Bang Theory where the guys did just that and let hackers control their lights and remote control cars?

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...