back to article Fridge hacked. Car hacked. Next up, your LIGHT BULBS

Those convinced that the emerging Internet of Things (IoT) will become a hackers' playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs. Researchers at Context Information Security discovered that LED light bulbs from …

  1. Anonymous Coward
    Anonymous Coward

    Why is security still an afterthought?

    You know, forty odd years ago, I could understand and sort of forgive the original framers of the internet and its protocols for not baking in proper security. Everyone trusted everyone else, and there just wasn't a mindset of "what if someone malicious wanted to break this for the lulz?"

    These days, it's rapidly starting to irritate me that companies are rushing products to market, and STILL aren't considering security seriously. No, using a hardcoded or preshared factory-set key is not 'taking security seriously'.

    Then again, if they can't properly secure a pacemaker or an insulin pump, what hope have we got they'll try particularly hard with a lightbulb...

    1. swschrad

      they'll fix it when New York City starts strobing

      or maybe when generating stations start playing Mozart, speeding up and slowing down.

      or when self-driving cars start line dancing on the freeway.

      if they still can...

    2. Zog_but_not_the_first
      Unhappy

      Re: Why is security still an afterthought?

      "Everyone trusted everyone else"

      I really think we did for a while. What happened?

      1. This post has been deleted by its author

    3. Cynic_999

      Re: Why is security still an afterthought?

      I do not believe the probability of having a light bulb hacked is particularly high at all - and if it is the consequences are not likely to be all that serious. It appears the hack involves some serious reverse engineering of some embedded code followed by some pretty dedicated WiFi snooping a few meters away from the light you are going to hack. The chances of anyone going to that degree of effort when there is no money to be made is very slim. Meanwhile far greater laughs can be had for no effort on far more commonplace systems that have never been even slightly secure. I once (years ago before decent Internet bandwidths) caught my son and his friend using my Sky remote through the window to change our elderly opposite neighbour's Sky to a porn channel after he had nodded off in his armchair. Following that I hid my binoculars from my son.

    4. Franklin

      Re: Why is security still an afterthought?

      In this particular case it doesn't seem like security was an afterthought--the mesh connections were encrypted, after all--but that the security wasn't implemented in a way that made it resistant to sophisticated physical attack on the microcontroller.

      Security is HARD. Even when you think about it from the get-go.

    5. Graham Marsden
      Unhappy

      Re: Why is security still an afterthought?

      Why? Because it doesn't make money, that's why.

      It's a cost on the bottom line, not a revenue generator so the bean counters don't want it, the bosses don't understand it and the coders are being pushed to get the product out, so security is ignored or pushed to the end of the line.

    6. Charles Manning

      Re: Why is security still an afterthought?

      Is need for physical access really a security risk?

      If the hacker is getting inside the device, then they could just as easily replace the micro or solder in their own wires....

      Do we blame Windows (or Linux) for being crap on a PC when anyone can just boot from a CD and do what the hell they like?

      At what stage do we say the security is good enough?

      1. proud2bgrumpy

        Re: Why is security still an afterthought?

        Honestly, are we really debating the potential security issues of a light bulb? Physical access is required when you switch it on/off or when you replace it every few months at a cost of £57.

        Someone should invent a network enabled feather duster that can monitor my dusting activity and report on my cleaning performance, energy usage and alert me when the feathers have worn sufficiently to warrant replacement.

  2. RainForestGuppy

    Nothing new here. See this story from 2008.

    http://www.cnet.com/uk/news/internet-connected-coffee-maker-has-security-holes/

    1. Captain DaFt

      As parodied here: http://freefall.purrsia.com/ff2500/fc02464.htm

  3. John Smith 19 Gold badge
    FAIL

    Go to the source. The circuit breakers now have microcontrollers in them

    OMFG.

    Who thought that was a good idea?

    1. swschrad

      why, the National Electric Code, of course

      those are your AFCI arc-fault detecting breakers. but you don't need to put ethernet on the power line to whack those. all you need is a reasonably good 17 meter ham rig in a car. 17 seems to be the hot ticket based on the length of house wiring to the AFCI breakers.

      the good news is that vendors have figured it out and are reconfiguring their filtering.

      1. Irony Deficient

        all you need is a reasonably good 17 meter ham …

        <span class="homer">Mmmmm, 17 meter ham …</span>

      2. Shannon Jacobs

        This was the only mention of "car" besides the title

        So what was the hacked car? Michael Hastings?

  4. Bob Wheeler
    Stop

    IMHO

    I beg to sugest that the weakness is thinking that people want "Wi-Fi/mesh networked lightbulbs"

    1. John McCallum
      Devil

      Re: IMHO

      Agreed what lazy sod fits internet connected lightbulbs?

  5. Blacklight
    FAIL

    Meh

    I was really keen on LIFX, but every time I asked them about 802.1x capabilities (my WLAN runs TLS & cert auth) I never got a proper answer. Not even a "No, it doesn't do cert auth".

    Philips Hue sidesteps this by having a wired controller using Zigbee - and was available, and has a nice REST API, so I went down that route....

  6. Timo
    Flame

    now lightbulbs need a firmware upgrade?

    How in the world will we go about doing firmware upgrades to lightbulbs? Do the bulbs get their own upgrades, or is there an app that needs to be loaded on some other (higher functioning) device in order to push the upgrade.

    Is this where the Internet - o - Things is going? You'll need a fiber optic link to the internet and a high usage cap just so all of your devices can stay up to date.

    Lights off - "I'm sorry Dave, I can't do that."

    1. Blacklight

      Re: now lightbulbs need a firmware upgrade?

      The Hue bulbs do have f/w and update - although Philips don't really tell you about this...

      When I bought mine, when you turned them on, they went from 0% to 100% smoothly over about 1.5 seconds....then one day, one started turning on to 100% pretty much immediately.

      I dig into the hub interface shows that the bulbs were being updated - the hub reports the bulb f/w to homebase and (I presume) proxies the s/w to the bulb over it's hybrid Zigbee interface. Works though, just a bit slow (the bulbs have to be powered on at the switch, even if you have them 'soft off').

      The hub also does talk to the 'net and you can control lights remotely, although you can disable that and run them from LAN only - if you so desire/require.

      1. Tom Wood

        You actually bought these things?

        May I ask why?

        Just because they're "cool" or do they actually do something useful that regular lightbulbs don't?

        1. Brewster's Angle Grinder Silver badge

          @Tom Wood

          I don't care about "the why". I just know that what is cool now will be in high end stuff in a couple of years and in everything you buy a few years after that. :(

    2. Captain Scarlet Silver badge
      Thumb Up

      Re: now lightbulbs need a firmware upgrade?

      Hmm if I could get an IOT front door and windows I could just make up stuff like oh sorry I am late for work, my door decided to update its firmware and lock me in until it was done.

  7. Anonymous Coward
    Anonymous Coward

    I think it's probably safe to assume that anything that comes close to one's internet connection can be hacked.

    Surely a super-efficient way for any power or authority to gain access to the private lives of the people is to make them want it, make them pay for it and make them love it.

  8. Amorous Cowherder
    Happy

    "By gaining access to the master bulb,"

    Just sounds like a line from a really crappy, made-for-TV sci-fi movie!

    1. Anonymous Custard

      Or some 70's bio-horror based in the Netherlands perhaps ;)

      1. This post has been deleted by its author

  9. Fiddler on the roof

    Opportunities

    Think of the jobs that will become available: Basingstoke Automated Public Toilet Flushing Designer, North East Street Light Automation Explotation Executive. The list just goes on and on.

    1. swschrad

      I should think that would be the Ti-D-Bowl man

      lose the little boat from the ads, gain a printer for all the helldesk tickets. "weak flush at 85th and Central, mens, 3rd stall." "low paper, Edgington Court Starbucks, mens." "geysers and Sharknados, use extreme caution, 10th Crossing subway station, you can't miss it."

      1. Anonymous Custard
        Joke

        Re: I should think that would be the Ti-D-Bowl man

        Turdnado?

  10. ukgnome
    Coat

    Paddy McGuinness

    lights out, all out

    *I'm going, the one with the wind up torch and tinfoil hat

  11. Anonymous Coward
    Anonymous Coward

    Just wait til we have WIFI in adult toys

    1. Anonymous Coward
      Anonymous Coward

      WiFi in adult toys?

      They already have it with USB, WiFi probably isn't far behind. The connection implementation is left as an exercise for the user.

      Obviously AC!

      1. Charlie van Becelaere

        Re: WiFi in adult toys?

        AC? I should think DC would be safer. Connecting those items to the mains seems foolish at best.

        Oh, _that_ AC. Carry on (as it were).

  12. wyatt

    If the internet still isn't secure what chance has the IoT got? My company has just moved to an online HR provider, first thing that I get when browsing to the login page is an invalid certificate warning message. Basics..

    Whilst I doubt it is an issue (I checked who the certificate was issued to), it doesn't fill me with confidence in 1) them as a company and 2) us for choosing them.

    1. Ken Hagan Gold badge

      "If the internet still isn't secure what chance has the IoT got?"

      Smaller networks are easier to secure than larger ones. Nets where one person owns and/or has physical possession of all the devices are the easiest to secure. Larger ones where most of the devices aren't even under the same legal jurisdiction as you are a Very Hard problem.

  13. Anonymous Coward
    Anonymous Coward

    Lightwave

    Lookup Lightwave RF if you're a security researcher who wants an easy life. Soooo many potential vulnerabilities you wouldn't believe. Sadly, I only thought about it after I'd bought enough bits of the system to make backpedalling an expensive mistake!

    1. BenDwire Silver badge
      Boffin

      Re: Lightwave

      Just block the controller from the internet. If you really want to turn your stuff on from another continent you'll have to use a secure connection to your server* as a gateway to the controller. It's quite simple*.

      * you're a Reg reader, right?

  14. heyrick Silver badge
    WTF?

    Wait... WHAT?

    Lightbulbs on the internet?

    Jesus effing Christ! Maybe I'm getting too old for this lark, but that seems to me a "because we can" item.

  15. Camilla Smythe

    How many...

    mumble mumble mumble does it take to hack a light bulb?

  16. Stevie

    Bah!

    No doubt there is a really good, clever reason for connecting light bulbs to the internet that eludes me.

    I think I'll pass, though.

  17. Zog_but_not_the_first
    IT Angle

    Appropriate technology

    Computers for work and social chit-chat (not Farcebook, of course). 20C tech for everything else..

  18. bigtimehustler

    “Prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required.” - What utter rubbish, they basically got their arse handed to them, the only reason no one else got there first is because this is still a fairly niche technology and so most would be exploiters dont have any of the hardware to experiment with and it is not a big enough attack vector yet to make it worth a serious targeted attempt.

  19. Anonymous Coward
    Anonymous Coward

    The NSA spooks must be rubbing their hands with glee

    coming soon an ideal locationin EVERY room of your house builtin networked Spy Devices, a.k.a Lightbulbs.

    How can you be sure that the bulb you put in does not have a microphone or even a camera inside it. As it is networked the NSA will rejoice. You put their bugs in for them.

    Job Done, USA No 1

    anon obviously.

  20. Gene Cash Silver badge
    Happy

    "security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs"

    Now there's a line straight out of a cheap '90s "cyberpunk" novel.

  21. Jack Austin

    "He: I'd love to go out with you, Susan, but I have to stay home tonight and upgrade the firmware in my light bulbs."

    She: "Well, if you don't want to go out, you could just SAY SO."

  22. Anonymous Coward
    Angel

    Humm

    "most likely due to the complexity of the equipment and reverse engineering required.”"

    They plugged the lighbulb counterclockwise?

  23. Charles Manning

    Old joke, new answer

    Q: How many software engineers does it take to change a lightbulb?

    A: Lots.... and a BOFH.

  24. Anonymous Coward
    Anonymous Coward

    This reminds me of a car hack sometime back

    Hacking a computer system when you're physically present and have specialised tools to do the job isn't that scary. People with physical access and those tools/skills have lots of ways to acheive their nefarious goals and are unlikely to be casual hackers.

    The real worry with IoT, as lots of others have mentioned, is when someone creates a toolset to let kids work your house from their bedroom. However complicated a static target is they have all the time in the world to break it once and then automate the procedure (and how many average joes are going to know how to respond to 'urgent, your lightbulb needs to be patched!' messages).

    Turning lights on and off, defrosting your freezer while you're at work etc. are exactly the kind of dumb things kids will do if they're able to. For appliances that benefit from being internet enabled this is a real worry. For things like lightbulbs that really see no benefit the obvious question is 'why do it?'.

    And even if we imagine for a moment that static security can be made so tight that it can't be broken at the lightbulb end that just moves the weak point to the other side. The mobile phone will presumably be the device controlling these things, so just hack that (or hilariously open your co-worker's garage door when he goes to the bathroom at work).

  25. proud2bgrumpy

    Network connected lightbulbs - honestly, does anyone anywhere want or need this? What benefit is there (really) to this level of over-engineering and over complexity. Yes, I'm sure there are some applications where remote control of a light bulb is useful, but putting the intelligence into a consumable item with a short life is just stupid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like