That LIFX Smart Lightbulb Hack Wasn’t Easy

If you’ve been following your Internet of Things security news, you probably read about the latest hack of a consumer-oriented ‘smart home’ device: Context Information Security’s analysis of security holes in LIFX-brand smart light bulbs.

Researchers had to dig deep into LIFX's hardware and software to hack the smart lightbulb.
Researchers had to dig deep into LIFX’s hardware and software to hack the smart lightbulb. 

The top line on this is scary enough. As The Register reported: researchers at Context discovered that, by gaining access to a “master bulb” in LIFX deployments, they could control all connected lightbulbs and expose user network configurations.

That’s scary – and recalls research on hacking Philips HUE light bulbs that was published last year.

But read down in the Context research and you’ll realize that, while the LIFX technology wasn’t perfect, the job of hacking the technology wasn’t child’s play, either.

LIFX connected its smart bulbs using a 6LoWPAN-based mesh network. The company made the mistake of transmitting most bulb-bulb communications in the clear, which made analyzing traffic sent between master- and slave bulbs easy. Context researchers found they could inject packets into the network and mimic the behavior of a bulb requesting WiFi credentials from the master bulb.

However, sensitive information sent between the bulbs was encrypted, such as transmitting wi-fi network credentials when new lightbulbs joined the network. To do more, they needed to break the encryption used by LIFX.

That task wasn’t easy. Context researchers first obtained the firmware by extracting it from the micro controllers embedded within the LIFX bulbs – basically cracking the bulbs open and extracting the printed circuit board (PCB) inside.

The researchers needed to analyze the PCB, figure out what components it used and – in particular- the System on Chip (SOC) integrated circuits that control the 6LoWPAN and WiFi communications (manufactured by Texas Instruments and STMicroelectronics), as well as the underlying architecture of those circuits. (Both used the ARM Cortex-M3 processor.)

Once they reverse engineered those devices, the researchers had to get access to the flash memory on the chips in order to extract and begin reverse engineering the firmware. This was no easy task: Context said that it used a JTAG (Joint Test Action Group) debugger – a specialized tool for testing microcontrollers for defects.

Once they had extracted the firmware in the form of a “binary blob” image, Context researchers turned to IDA Pro, a common reverse engineering tool to identify the parts of the firmware code that handled encryption and decryption routines and extract the encryption key, initialization vector and block mode.

Armed with that knowledge and an understanding of the mesh network protocol, the researchers were finally in a position to “hack” the LIFX installation: injecting packets into the mesh network to obtain the WiFi credentials, then decrypting the credentials without any notice of their presence or malicious actions.

Security concerns about smart home technology is real. Previous hacks: like those carried out against the HUE lightbulbs or IZON cameras were trivial and easily within reach of even unsophisticated users.

There were certainly gaps in LIFX’s model: the failure to encrypt all intra-bulb communications was one. The absence of some kind of alert mechanism around significant events, such as new lightbulbs joining the network, was another. But not all hacks are equal. While the headlines out of Context Information Security were about another smart home device that is vulnerable to hacking, the actual research tells a somewhat less sensational tale of a company that had taken steps to secure its product, and that fell victim to extremely sophisticated and persistent attackers – that’s a bar that few product manufacturers in any industry could clear.

Read the full analysis by Context Information Security here: Hacking into Internet Connected Light Bulbs.

Comments are closed.