Security is one of the biggest concerns of the Internet of Things (IoT). After all, with so many machines “talking” with each other and with the Internet, how does one stop them from leaking information to hackers?
Researchers at the well-known security research firm Context Information Security have exposed a security chink in a Wi Fi enabled, smartphone controlled LED light bulb. So how did they do it?
The team has explained it all on the Context official blog. It first gained access to the master bulb, through which the researchers were then able to control all connected light bulbs and expose user network configurations. Coming as a wake-up call for the bulb manufacturer LIFX, the hacking episode has helped the latter patch the loophole.
The work by Context was part of an on-going research into the security of the emerging field of IoT. and raises some questions. According to Michael Jordon, Research Director at Context, the UK-based firm had also found vulnerabilities in other Web connected devices from home storage systems and printers to baby monitors and children’s toys.
LIFX bulbs connect to a Wi Fi network in order to allow them to be controlled using a smart phone application. In a situation where multiple bulbs are available, only one bulb will connect to the network. This “master” bulb receives commands from the smart phone application, and broadcasts them to all other bulbs over an 802.15.4 6LoWPAN wireless mesh network.
In the event of the master bulb being turned off or disconnected from the network, said Context, one of the remaining bulbs elects to take its position as the master and connects to the Wi Fi network ready to relay commands to any further remaining bulbs. This architecture requires only one bulb to be connected to the WiFi at a time, which has numerous benefits including allowing the remaining bulbs to run on low power when not illuminated, extending the useable range of the bulb network to well past that of just the WiFi network and reducing congestion on the WiFi network.
The LIFX bulb was launched in September 2012 with crowd funding through the Kickstarter website.
The fix, developed with the help of Context, is included in the new firmware available at updates.lifx.co and now encrypts all 6LoWPAN traffic, using an encryption key derived from the wifi credentials. It also includes functionality for secure ‘on-boarding’ of new bulbs on to the network.
Image Credit: Context
– Advertising Message –