Stealing WiFi From LED Lightbulbs


Back in 2012, the LIFX light bulb launched on Kickstarter, and was quite successful. This wireless LED lightbulb uses a combination of WiFi and 6LoWPAN to create a network of lightbulbs within your house. Context Information Security took a look into these devices, and found some security issues.

The LIFX system has a master bulb. This is the only bulb which connects to WiFi, and it sends all commands out to the remaining bulbs over 6LoWPAN. To keep the network up, any bulb can become a master if required. This means the WiFi credentials need to be shared between all the bulbs.

Looking into the protocol, an encrypted binary blob containing WiFi credentials was found. This binary could easily be recovered using an AVR Raven evaluation kit, but was not readable since it was encrypted.

After cracking a bulb apart, they found JTAG headers on the main board. A BusBlaster and OpenOCD were used to communicate with the chip. This allowed the firmware to be dumped.

Using IDA Pro, they determined that AES was being used to encrypt the WiFi credentials. With a bit more work, the key and initialization vector was extracted. With this information, WiFi credentials sent over the air could be decrypted.

The good news is that LIFX fixed this issue. Now they generate an encryption key based on WiFi credentials, preventing a globally unique key from being used.

[via reddit]

Porting Contiki to the TI MSP430 Launchpad

For many years Contiki has been one of the main choices when it came to choosing an IPv6 over Low power Wireless Personal Area Networks stack (aka 6LoWPAN). It is developed by a world-wide team of developers with contributions from Atmel, Cisco, ETH, etc… and is open source. As most platforms to which Contiki has been ported are quite expensive, [Marcus] decided to bring the operating system to the TI Launchpad. For our readers that don’t know, the latter is based on a msp430g2452/2553 microcontroller, which only have 256/512 bytes of RAM and 16kB of ROM. As a side note, Contiki typically requires 10k RAM and 30k ROM.

[Marcus] therefore had to remove several features from Contiki: queue-buffering, energy estimation and regrettably uIP. His test setup (shown above) uses the TI CC2500 radio that can be found for less than $2 on Aliexpress, for which he wrote radio drivers from scratch. He also coded his own radio duty-cicling layer, as the one included in Contiki was too big.