Please remember to shred your old devices... :)

A good read-up from Limited Results about the horribly insecure state of IoT devices in general. They grabbed a dead bulb and went to town on it, and after just soldering a couple of leads could not only grab the credentials to the WiFi network the bulb was connected to, but also the root cert and private key from the manufacturer, which for some reason was present in the device.

I mean it won’t mean much to dispose of this with extreme prejudice when it comes to the cert and the key – that’s a problem that the manufacturer has to sort out – but you don’t want your WiFi credentials out there in the wild. :slight_smile:

https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/

1 Like

It’s a good reason not to use Wi-Fi bulbs on the outside of your home, or if you have reason to believe you would be an individual target. But other than that, in most cases when you dispose of such bulbs it’s unlikely that anyone would know your home address, so the credential isn’t going to do them much good.

A porch light, though, is a different matter. And in particular, if you find that someone has stolen one of your WiFi bulbs, change your Wi-Fi passwords immediately.

I would, however, argue that vulnerability in a Wi-Fi device is not the same thing as an IOT vulnerability in general. :sunglasses:

6 Likes

A good point, although the private key and root cert business can be a concern, since it means you could have several devices on your network that could be fooled into trusting a bad actor.

From there it’s just traversal around your network and next thing you know your internet-connected toilet doesn’t flush.

I have decided to switch as many wifi related devices to locally proceed devices to prevent these things from happening. So all my WeMO is going away for sure. I think Chamberlain MyQ might be on Wifi for the bridge but there isn’t anything I can do about that without moving to GoControl which I am not ready to do just yet.

There’s always a good argument to be made for an isolated network where your home automation stuff sits, and work out the networking that would allow a hub only (if that) to go outside for remote access.

1 Like

Yes - at some point I will leverage the capabilities of my UniFi setup to separate out a VLAN for my IOT. But I am not that skilled and don’t really know where to start!

Oh… UniFi you say? Yeah I’m sure that’s going to be near impossible…

:slight_smile:

1 Like

That article is a couple of years ago. Lots has changed in the GUI to bring new functions and better configuration for stuff like this. My big thing is understanding how to setup the ports forwarding internal to the LAN so that everything talks correctly between networks. Like using my phone as a presence sensor. The phone will be on one LAN and the ST hub will be on the VLAN with a separate subnet.

What a crappy situation that would be.

Hey…someone had to go there.

LIFX has now announced that it fixed all the vulnerabilities mentioned in the article as of the end of 2018

https://www.lifx.com/pages/privacy-security

A report posted by Limited Results on 23.01.2019 claimed that three categories of security vulnerability exists in our lights. Indeed we have been working in collaboration with Francois from LR since he alerted us to these, with thanks, in 2018. In response, we have already addressed each vulnerability with firmware updates during Q4 2018:
.
#1: WiFi credentials are now encrypted
.
#2: We have introduced new security settings in the hardware
.
#3: Root certificate and RSA private key is now encrypted

2 Likes

I wonder how they handled the cert issue though… you would need to revoke the old cert to make it invalid, even if it’s now encrypted on the bulb.

And the private key would need to be replaced outright… unless they figure that by simply encrypting it now it would mitigate the issue. That’s like writing your password down in a post-it then destroying the post-it note after you were told that was a good idea. It doesn’t do much good if you’re still using the same password though.

And the voluntary firmware upgrade is a toss-up. You obviously want to make people upgrade (particularly when you’re the one that messed up) but at the same time you don’t want to advertise that you messed up and now people have to upgrade the firmware – which hopefully goes without incident.