Stealing WiFi From LED Lightbulbs

LIFX Wireless LED PCB

Back in 2012, the LIFX light bulb launched on Kickstarter, and was quite successful. This wireless LED lightbulb uses a combination of WiFi and 6LoWPAN to create a network of lightbulbs within your house. Context Information Security took a look into these devices, and found some security issues.

The LIFX system has a master bulb. This is the only bulb which connects to WiFi, and it sends all commands out to the remaining bulbs over 6LoWPAN. To keep the network up, any bulb can become a master if required. This means the WiFi credentials need to be shared between all the bulbs.

Looking into the protocol, an encrypted binary blob containing WiFi credentials was found. This binary could easily be recovered using an AVR Raven evaluation kit, but was not readable since it was encrypted.

After cracking a bulb apart, they found JTAG headers on the main board. A BusBlaster and OpenOCD were used to communicate with the chip. This allowed the firmware to be dumped.

Using IDA Pro, they determined that AES was being used to encrypt the WiFi credentials. With a bit more work, the key and initialization vector was extracted. With this information, WiFi credentials sent over the air could be decrypted.

The good news is that LIFX fixed this issue. Now they generate an encryption key based on WiFi credentials, preventing a globally unique key from being used.

[via reddit]

13 thoughts on “Stealing WiFi From LED Lightbulbs

      1. oh, also remember Hue needs a basestation. That doesn’t effect price, as its bundled in, but it does mean the lifx bulbs have to act more independantly which probably explains the price difference.

    1. Price…what whats better in terms of openness?

      Also, LIFX bulbs are rated to last a longer. Not sure if they do or not, but if the specs are right it almost makes up for the price difference.

    1. I fail to understand how obtaining wifi credentials without owner’s consent is entirely unrelated to wifi theft. Could you enlighten me?

      1. i guess if your goal is to get on the wifi network, and you had the global key, this would be a way in to a network that uses these devices in a silly way (not on their own lan).

        i see stealing the global keys as the topic of the article, getting at the wifi is just a result of being able to decrypt the bulbs communications which expose the wifi credentials.

        6 of one half a dozen of the other i suppose. thanks for making me rethink

  1. annnnd yet again, this is why you dont use wifi/tcpip network stack for controlling lights. who wants this crap on their LAN? that being said kudos to them for fixing it so quickly.

  2. While I can appreciate the work these guys did, I don’t see it has real issue. They had to have physical access to the device and JTAG it to get the info. Even if you had the keys you’d still have to have access to the 6LoWPAN network. It just seems like a lot for a little.

    1. re-read the write up.

      “In a design such as the one employed by LIFX, this immediately raises alarm bells, implying that each device is issued with a constant global key. If the pre-shared key can be obtained from one device, it can be used to decrypt messages sent from all other devices using the same key. In this case, the key could be used to decrypt encrypted messages sent from any LIFX bulb.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s