An alleged hacker has just published on the LimitedResults site a vulnerability classified as “moderate to severe” that would allow a smart light bulb to be hacked , in this case we speak of the LIFX mini white, and thus have access to some private user data, where It includes, for example, the password for the WiFi network.
According to the person in charge of this investigation, the LIFX mini white bulb, whose price is around 25 dollars, has a vulnerability that would allow an attacker to extract the username and password of a WiFi , as well as other valuable data, in less from one hour.
According to LIFX, the vulnerability has been fixed
The site details the steps to hack the bulb, which mainly consists of removing the main chip from the bulb , to later connect it via USB to another chip to access its information.
As they explain, the chip of the bulb has stored the access credentials to the WiFi network, which are in plain text without any type of encryption . With this information, LimitedResults affirms that anyone could have access to the network settings and change the password, in addition to all the risks that this entails.
Research also shows that this bulb does not have any security settings , it does not require a login, and all stored information is not encrypted. Given this, the device can be controlled by unauthorized software or hardware, since the connection is made directly without additional layers of security, and data could even be written to the device’s memory.
After disclosing this vulnerability, LIFX issued a statement informing that this vulnerability has been corrected . The company claims its bulbs have received a firmware update and user credentials are now encrypted, plus a new security setting was added for bulb memory access and the private key is also encrypted.
This is a new example of the lack of security of some manufacturers of connected devices , and in the case of LIFX it is not the first time that their light bulbs have been hacked. As we know, this has served to initiate various attacks, ranging from simple things like playing with the lights in an office, to more elaborate things like that DDoS attack that knocked out the web in 2016 .