Not Happy with Smart Bulbs? Make Your Own

The idea of the so-called “smart bulb” sounds good; who wouldn’t want to be able to verify the porch light is on if you’re out of town for the night, or check to see if you left the bathroom lights on in your rush out the door in the morning? But in practice, it can be a nightmare. Each brand wants to push their own protocol. Even worse, it seems you can’t get anything done without signing up for three different services, each with its own application that needs to be installed on your phone. It’s a frustrating and often expensive mire to find yourself in.

[Dom Gregori] liked the Hue bulbs offered by Philips, but didn’t want to buy into the whole ecosystem of phone apps and hardware hubs they require. So he decided to create his own open source version that would do everything he wanted, without any of the seemingly unavoidable baggage of the commercial offerings. The final result is a professional looking ESP8266 controlled RGB bulb that hooks into Home Assistant via MQTT.

Looking at his Bill of Materials, it’s actually pretty amazing to see how little it really takes to pull a project like this off. Outside of the Wemos D1 Mini board, [Dom] just needed a few concentric WS2812 rings, and a USB charger small enough to fit into the base of his 3D printed enclosure.

We especially like how he handled the socket-side of the bulb, as that’s the part that would have left us scratching our heads. Rather than trying to salvage the base from an existing bulb, or come up with his own printed piece to stick in the socket, he just used a cheap and readily available light socket adapter. The solution might be a little bulky, but we like how he’s deftly avoided having to handle any AC voltages in this project.

Over the last couple years, we’ve seen more and more smart bulb related content come our way. From the ever popular teardown of a new entry into the market to the sobering realization that your light bulbs might provide the key attackers need to access your network, it’s been fascinating to see the transformation of these once simple pieces of hardware into something far more complex.

Don’t Toss That Bulb, It Knows Your Password

Whether it was here on Hackaday or elsewhere on the Internet, you’ve surely heard more than a few cautionary tales about the “Internet of Things” by now. As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend the next few hours doubting your recent tech purchases.

In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

Regardless of the manufacturer of the bulb, the process to get one of these devices on your network is more or less the same. An application on your smartphone connects to the bulb and provides it with the network SSID and encryption key. The bulb then disconnects from the phone and reconnects to your home network with the new information. It’s a process that at this point we’re all probably familiar with, and there’s nothing inherently wrong with it.

The trouble comes when the bulb needs to store the connection information it was provided. Rather than obfuscating it in some way, the SSID and encryption key are simply stored in plain-text on the bulb’s WiFi module. Recovering that information is just a process of finding the correct traces on the bulb’s PCB (often there are test points which make this very easy), and dumping the chip’s contents to the computer for analysis.

It’s not uncommon for smart bulbs like these to use the ESP8266 or ESP32, and [Limited Results] found that to be the case here. With the wealth of information and software available for these very popular WiFi modules, dumping the firmware binary was no problem. Once the binary was in hand, a little snooping around with a hex editor was all it took to identify the network login information. The firmware dumps also contained information such as the unique hardware IDs used by the “cloud” platforms the bulbs connect to, and in at least one case, the root certificate and RSA private key were found.

On the plus side, being able to buy cheap smart devices that are running easily hackable modules like the ESP makes it easier for us to create custom firmware for them. Hopefully the community can come up with slightly less suspect software, but really just keeping the things from connecting to anything outside the local network would be a step in the right direction.

(Some days later…)

[Limited Results] had hinted to us that he had previously disclosed some vulnerabilities to the bulb’s maker, but that until they fixed them, he didn’t want to make them public. They’re fixed now, and it appears that the bulbs were sending everything over the network unencrypted — your data, OTA firmware upgrades, everything.  They’re using TLS now, so good job [Limited Results]! If you’re running an old version of their lightbulbs, you might have a look.

On WiFi credentials, we were told: “In the case where sensitive information in the flash memory wasn’t encrypted, the new version will include encrypted storage processing, and the customer will be able to select this version of the security chips, which can effectively avoid future security problems.” Argue about what that actually means in the comments.

Giving An LED Bulb Some Smarts

How many of your projects been spawned purely out of bored daydreaming? For want of something more productive to do, [dantheflipman] hacked a standard LED bulb from Wal-Mart into a smart bulb.

After pulling it apart, they soldered wires to the threaded socket and added a connector for a Hi-Link hlk-pm01 power module. The output caps at 5 V and 600 mA, but who says this was going to be a searchlight? A Wemos D1 Mini clone slides nicely beside the power module, and stacked on top is a NeoPixel Jewel 7. [dantheflipman] admits he has yet to add a capacitor to ahead of the Jewel, so we’ll see how long the LEDs last. Crammed back together, the bulb is controlled via a prototype Blynk app. Good enough for a quick hack.

[dantheflipman] is upfront about messing with mains voltages: don’t do it unless you absolutely know what you’re doing. In this case, he has taken care with their soldering and epoxied all wire and solder joints to be sure nothing will come loose and short, and a ‘stress test’ is forthcoming.

Smart bulbs are cool no matter how you slice it, so a little more insight into how smart bulbs work with some of the nitty gritty that goes into hacking them might sate your thirst for knowledge.

[Via /r/arduino]