http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/
By Dan Goodin
Ars Technica
July 7, 2014
In the latest cautionary tale involving the so-called Internet of things,
white-hat hackers have devised an attack against network-connected
lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of
the LED devices.
The attack works against LIFX smart lightbulbs, which can be turned on and
off and adjusted using iOS- and Android-based devices. Ars Senior Reviews
Editor Lee Hutchinson gave a good overview here of the Philips Hue lights,
which are programmable, controllable LED-powered bulbs that compete with
LIFX. The bulbs are part of a growing trend in which manufacturers add
computing and networking capabilities to appliances so people can
manipulate them remotely using smartphones, computers, and other
network-connected devices. A 2012 Kickstarter campaign raised more than
$1.3 million for LIFX, more than 13 times the original goal of $100,000.
According to a blog post published over the weekend, LIFX has updated the
firmware used to control the bulbs after researchers discovered a weakness
that allowed hackers within about 30 meters to obtain the passwords used
to secure the connected Wi-Fi network. The credentials are passed from one
networked bulb to another over a mesh network powered by 6LoWPAN, a
wireless specification built on top of the IEEE 802.15.4 standard. While
the bulbs used the Advanced Encryption Standard (AES) to encrypt the
passwords, the underlying pre-shared key never changed, making it easy for
the attacker to decipher the payload.
"Armed with knowledge of the encryption algorithm, key, initialization
vector, and an understanding of the mesh network protocol we could then
inject packets into the mesh network, capture the Wi-Fi details, and
decrypt the credentials, all without any prior authentication or alerting
of our presence," researchers from security consultancy Context wrote.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
