Did you know that your IoT light bulbs carry a hefty security risk?
Short answer: They do.
We’ve known for ages now that Internet of Things (IoT) devices like light bulbs and switches are insecure. The Mirai botnet attack used IoT devices to take down a large part of the domain name service infrastructure in October of 2016, which was successful because IoT devices often have the same default password and username from the factory, which is often not changed by the user (if they can be changed at all).
A prime example of this is the networking equipment bundled with your internet services. The default Wi-Fi password that is printed on the router is often related to the MAC address, which gets broadcasted as part of how Wi-Fi works. Seriously, change your default passwords.
What’s more, with the relatively low cost of most IoT devices, it’s often not cost-effective for the manufacturer to build better security in at the design stage. For example, you might think the only risks of buying a cheap IoT light bulb are the badly-translated app to control it or maybe some extra setup time to get it integrated into your existing network. It turns out those are the least of your worries, as most light bulbs have no security to speak of, even if the hardware they’re built with could support it.
IoT lightbulbs contain your Wi-Fi credentials
In an illuminating series of posts, Limited Results has scared me into never throwing away the one IoT light bulb I currently own (at least, not without destroying the circuit board fully). All of the low-cost bulbs investigated from Lifx, Xiaomi, Tuya, and Wiz kept their (and correspondingly, your) Wi-Fi credentials in plaintext. That means anyone getting their hands on your light bulb could connect to your network after a fairly trivial process of pulling the credentials off the bulb.
One device also kept its private RSA key easily accessible. That information is used to create secure connections to the servers it connects to for things like updates. It’s not hard to see how this could be misused to upload malicious firmware to such devices, which could then skim off banking credentials and other sensitive information from the network.
Making things more egregious, the chips that most of these devices used can support encryption for credentials, it’s just not implemented by the manufacturer.
With IoT devices becoming ever more prevalent, the least you can do is be aware of the potential dangers and how to mitigate them. Keep all IoT devices isolated on a subnet or guest network so even if they’re compromised, the attackers can’t get to the important data on your main devices. Make sure your router is password protected, change all default user/password combinations and use long, hard to crack passwords.
- Facebook has been giving teens money in exchange for their data
- A new massive email breach was uncovered, here’s how to check if you were affected
- Ezviz announces more smart home security devices at CES 2019
- Google just got slapped with a $57 million fine over privacy
- This smartphone has no holes, buttons, ports, or wires