The dark side of IoT lighting devices HOTforSecurity

1 of 4

E-THREATS

You Are Here: Home

INDUSTRY NEWS

E-Threats

MALWARECITY

MOBILE & GADGETS

TIPS AND TRICKS

The dark side of IoT lighting devices

Search here ...

No Banner to display

The dark side of IoT lighting devices

By: Alexandra Gheorghe |

comment : 0 |

April 19, 2016 | Posted in: E-Threats

Smart lighting IoT devices are prone to attacks that expose households and inhabitants to discomfort, but
more importantly, mass surveillance, privacy exposure and data theft.

Be the first of your friends to like this

Adware

Android

Antivirus

Apple

Bitdefender

Attack

Breach

Cyber-attack
Exploit

Anonymous
Backdoor

China

Data Breach
Facebook

DDoS

Facebook Scams

Bitdefender researchers analyzed the LIFX bulb a successful crowdfunding project started in September 2012
and found it vulnerable to traffic interception. Coincidentally, the LIFX product has been subjected to a hacking

Fbi

Fraud

Google

Hack

experiment in 2014 and was seen leaking Wi-Fi credentials through the wireless mesh network connecting the
bulbs. At that time, the company announced it will provide a fix.

Hacker

Hackers

Malware

Microsoft

Hacking
Omelette

The vulnerabilities
Password

The LED lighting market is booming, as lightbulbs become more feature-rich and affordable with each model.

Ransomware

Phishing

Privacy

Scam

Scams

Manufacturers are heavily focused on connecting chip-driven lighting products, making them talk to one another and
to broader networks.

The Lifx Bulb is a smart LED that connects to a Wi-Fi network and allows users to control house lighting via a
smartphone app. The device is fully compatible with Google Nest, Scout alarm system, Amazon Echo, Flic and

Security

Slider

Software
Uk

Spam
Us

Virus

other IoTs.
Windows

The smart bulb carries a design vulnerability an attacker can switch the device on and off five times to reset the
device and start the configuration process, initializing the creation of a new hotspot.

Moreover, any control command is executed without authentication, so sending requests from an Android app
installed on a different device could change lighting settings such as temperature, color etc.

The impersonation attack

Worm

Social Media
Trojan

Twitter

Vulnerability

The dark side of IoT lighting devices HOTforSecurity

2 of 4

During normal setup, the device creates a hotspot used by the Android app to manage initial configuration of the
device. The device asks for the username and password of the home network and once the user enters the
credentials, the bulb connects to the Internet and the hotspot is closed.
E-THREATS
million
were
Bitdefender
Products
iscovered
that a device reset20can
be Instagram
done fromaccounts
a physical
switch outside the users home, for
ALERTS
put
at
risk
through
sloppy
security
hole
Ready
Embrace
thetouser
sees that the bulb is not working, he will try to re-register it in the application. Meanwhile the
NETWORKS
Windows
10
an identical
fake hotspot by manipulating the devices MAC and SSID. TheSOCIAL
fake hotspot
will appear
July 08, 2015

HotForSecurity, European Security

INDUSTRY
NEWS As a
t along with the authentic one and will fool the Android app looking to establish
a connection.
Blogger Awards 2016 finalist!
will be connected to attackers fake hotspot and leak the username and MALWARECITY
password of their Wi-Fi

Windows 8 Stores Logon

Passwords in Plain Text
October 12, 2012

Who can hack the most popular smart

devices? Bitdefenders IoT Village
hosted in Techsylvania is ready to roll

BITDEFENDER TECHNOLOGY
VIDEOS
BOTNETS
CONTEST

1800+ Minecraft

Easy Tips to Dodge E-banking Fraud

usernames and passwords

leak online
January 19, 2015

Malicious Proxy Redirects SSL Google

Traffic for 1 Million IPs

HACKING
HOW TO.
MALWARE HISTORY
MISCELLANEOUS

Scammers Impersonate

PHISHING ALERT

Bank Exec on LinkedIn to

Q&A FROM THE LABS

Target Corporate Bank

SOCIAL NETWORKS

Accounts

SPAM

May 08, 2013

SPAM REVIEW
UNCATEGORIZED
VIRUSES DESCRIPTIONS
VULNERABILITIES
WEEKLY REVIEW
MOBILE & GADGETS
TIPS AND TRICKS

2012 Powered By Bitdefender

Bitdefender has unsuccessfully tried to contact the vendor and inform them of the research findings. The attack is
still possible on the LIFX app version, 3.3.0.1, downloaded by 50,000 users as of this writing.

Security implications

The dark side of IoT lighting devices HOTforSecurity

3 of 4

This attack technique is restricted by proximity and requires a certain degree of

technical knowledge, but is not the only type of attack that can be carried out, says
Radu Basaraba, malware researcher at Bitdefender.

This research draws attention to the necessity to embed proper security in the life-cycle of devices as they still lack
strong authentication mechanisms when being pushed to market. It also reminds users to pay attention and conduct
a thorough market research before purchasing any new devices which might endanger their privacy.

Researchers from Bitdefender Labs have investigated a random selection of IoT devices- a smart LED, a Wi-Fi
enabled switch, a Wi-Fi audio receiver and a smart power adapter and will share more worrisome findings. Note:
the scrutinized gadgets have been chosen randomly, based on popularity, product reviews and price affordability.

This article is based on the technical information provided courtesy of Bitdefender researchers Dragos Gavrilut,
Radu Basaraba and George Cabau.

All product and company names mentioned herein are for identification purposes only and are the property of, and
may be trademarks of, their respective owners.

Tweet

14
Like

17
Share

1
StumbleUpon
Submit

Previous

Next

About The Author

Alexandra Gheorghe
Security Specialist
Alexandra started writing about IT at the dawn of the decade when an iPad was an
eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her
background in PR and marketing communications to translate binary code to colorful stories
that have been known to wear out readers mouse scrolls. Alexandra is also a social media
enthusiast who `likes only what she likes and LOLs only when she laughs out loud.
Number of Entries : 238

Related posts
Porn Clicker
Malware Nesting in
Google Play
Porn Clicker Malware
Nesting in Google Play

Forget luxury cars, you

Music streaming can

can get your data stolen

leave homes open to

Phishing surges,
file-sharing takes lead

with this Facebook scam

hacking

as most targeted
industry of Q1

Leave a Comment
Name*

Email*

Website

The dark side of IoT lighting devices HOTforSecurity

4 of 4