Light bulb illuminates WiFi weakness: IOT security needs to improve

News by Steve Gold

Smart light bulb hacked to reveal WiFi password, research project highlights need for development of Internet of Things security.

Researchers with Context Information Security have been rolling up their electronic sleeves and dissecting the security of a WiFi-enabled energy-efficient smart light bulb, in what they claim may be a taste of security incursions in the future `Internet of Things' world.

By gaining access to the master light bulb, Context says it able to control all connected light bulbs and so expose user network configurations.

The research firm has been on regular contact with LIFX, the bulb's manufacturer, and a firmware update for the vulnerability was quickly issued.

Simon Walker, LIFX'S head of marketing, said that prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required.

Context says that the LIFX code analysis forms part of the company's security of the emerging Internet of Things (IoT) and raises some questions.

“It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, Context's research director.

“We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children's toys. IoT security needs to be taken seriously, particularly before businesses start to connect mission-critical devices and systems," he explained.

“Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber-criminals,” he added.

In some cases, says Jordan, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers.

"In other cases, the vulnerabilities are fundamental to the design of the products. What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected,” he explained.

Sarb Sembhi, an analyst and director with Storm Guidance, said that Internet of Things security stories like this are actually not that new; if you step back ten years, you find that internet-connected CCTV cameras were being compromised by what is, to all intents, a zero-day attack flaw.

"The problem that is highlighted here is that security is not being considered in depth when these devices are being developed. That isn't always the fault of the developers, however, as there is no widely published security model to assist developers - and for them to follow," he explained.

According to Sembhi - who is also chair of ISACA's region 3 government and regulatory advisory sub-committee- Microsoft is largely alone in the industry in publishing its own security model, which is particularly useful, he says, for developing embedded systems.

"Security always tends to be retro-fitted in today's technology, and almost never from day one of the development process. Our industry - and that of technology generally - needs to look at carrying out a security analysis when the product is designed," he said.

Phil Keely, a principal systems engineer with Aerohive Networks, said that, when it comes to the Internet of Things, the presumption is that it just works, but the physical connection and the security behind cannot be overlooked.

“For WiFi, which will be a significant connection mechanism for the IoT, the obvious security behind it is a pre-shared key, which, as demonstrated by Context, isn't always going to be secure,” he explained.

“In the home space, everyone uses a single wireless network and populates the same pre-shared key. The concern here is the proliferation of the key to this network. Putting in the right level of security for these new devices connecting to the network needs to be dealt with appropriately to avoid becoming an easy hacking gateway,” he said.

“Take a single service set to use Private' Pre-Shared Keys (PPSK) instead- one group of keys could be used for guest access or BYOD. Meanwhile, another group of keys could be used for building management with a very controlled firewall policy that only allows the building systems to make changes, rather than anyone else connected to the network. 

"Lighting systems could be controlled by yet another group of keys, which may have their own firewall policy allowing corporate users to adjust the lighting in the meeting rooms, but not in the corridors. Private pre-shared keys provide users the ability to have thousands of different pre-shared keys on a single network with different connection profiles, including firewalls and VLANs, making it the ideal security mechanism for the IoT,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews