Connect with us
hellotech banner ad


Did you know that your IoT light bulbs carry a hefty security risk?

Short answer: They do.

smart light bulb from lifx on table
Image: TCP Wireless

We’ve known for ages now that Internet of Things (IoT) devices like light bulbs and switches are insecure. The Mirai botnet attack used IoT devices to take down a large part of the domain name service infrastructure in October of 2016, which was successful because IoT devices often have the same default password and username from the factory, which is often not changed by the user (if they can be changed at all).

A prime example of this is the networking equipment bundled with your internet services. The default Wi-Fi password that is printed on the router is often related to the MAC address, which gets broadcasted as part of how Wi-Fi works. Seriously, change your default passwords.

What’s more, with the relatively low cost of most IoT devices, it’s often not cost-effective for the manufacturer to build better security in at the design stage. For example, you might think the only risks of buying a cheap IoT light bulb are the badly-translated app to control it or maybe some extra setup time to get it integrated into your existing network. It turns out those are the least of your worries, as most light bulbs have no security to speak of, even if the hardware they’re built with could support it.

IoT lightbulbs contain your Wi-Fi credentials

iot light bulb

Image: Limited Results

In an illuminating series of posts, Limited Results has scared me into never throwing away the one IoT light bulb I currently own (at least, not without destroying the circuit board fully). All of the low-cost bulbs investigated from Lifx, Xiaomi, Tuya, and Wiz kept their (and correspondingly, your) Wi-Fi credentials in plaintext. That means anyone getting their hands on your light bulb could connect to your network after a fairly trivial process of pulling the credentials off the bulb.

One device also kept its private RSA key easily accessible. That information is used to create secure connections to the servers it connects to for things like updates. It’s not hard to see how this could be misused to upload malicious firmware to such devices, which could then skim off banking credentials and other sensitive information from the network.

Making things more egregious, the chips that most of these devices used can support encryption for credentials, it’s just not implemented by the manufacturer.

With IoT devices becoming ever more prevalent, the least you can do is be aware of the potential dangers and how to mitigate them. Keep all IoT devices isolated on a subnet or guest network so even if they’re compromised, the attackers can’t get to the important data on your main devices. Make sure your router is password protected, change all default user/password combinations and use long, hard to crack passwords.

What do you think? Does this make you wary of IoT devices? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Maker, meme-r, and unabashed geek with nearly half a decade of blogging experience at KnowTechie, SlashGear and XDA Developers. If it runs on electricity (or even if it doesn't), Joe probably has one around his office somewhere, with particular focus in gadgetry and handheld gaming. Shoot him an email at

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in News

mcafeee banner ad