U.K. based research company Context Information Security has discovered a security weak point in the LIFX smart LED light bulbs. “It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritized as highly as it should be in many connected devices,” said Context Research Director Michael Jordon in an article with Electronics Weekly. 

U.K. researchers discover a security vulnerability with LIFX smart bulbs. (photo courtesy of LIFX)

Startup electronics company LIFX’s LED smart bulb can be controlled by a smartphone through a wireless network. The bulbs use a wireless 802.15.4 6LoWPAN mesh network. When testing the bulbs, Context connected wires to JTAG ports on system microcontrollers TI and STM in order to understand the encryption used among the bulb network. Once connected, researchers were the able to read the encryption algorithm, key initialization vector, and mesh network protocol, according to Electronics Weekly. Researchers were able to use the information gathered to inject packets into the network undetected. 

Once notified of the security problem with the bulbs, LIFX has teamed up with Context to create a firmware patch. A key derived from Wi-Fi credentials is now used for all 6LoWPAN traffic for encryption purposes so that the bulbs can be connected through a secure network. 

 “Hacking into the light bulb was certainly not trivial but would be within the capabilities of experienced cyber criminals,” said Jordon. “In some cases, these vulnerabilities can be overcome relatively quickly and easily as demonstrated by working with the LIFX developers. In other cases the vulnerabilities are fundamental to the design of the products. What is important is that these measures are built into all IoT devices from the start and if vulnerabilities are discovered, which seems to be the case with many IoT companies, they are fixed promptly before users are affected.” 

Reach Context's blog entry for more information: Hacking into Internet Connected Bulbs