IoT update: Hackers can come in through the light bulb

For anyone who doubted the Internet of Things (IoT) poses security headaches, a recent report should be a wake-up call. 

Researchers have discovered that so-called “smart” light bulbs have a significant security vulnerability.

Lifx light bulbs connect to a home or office’s WiFi network. This allows for them to be turned on or off from a smartphone.

The problem, according to Ars Technica:

While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.

This allowed anyone within about 100 feet of one of the bulbs to be able to figure out the password for the WiFi network they were connected to.

Firmware was updated

Lifx has fixed the issue with a firmware update. Since the project was funded by a high-profile Kickstarter campaign, it clearly knew leaving a vulnerability like that out in the open would be asking for trouble.

The only problem: More and more devices and objects are connecting to networks these days. It’s no longer just phones, laptops and tablets.

With all these connected devices being churned out rapidly for a quick buck, plenty of them will be vulnerable to attack or hastily secured. And not all of their manufacturers will be so quick to acknowledge and fix vulnerabilities (or even be in business long enough to provide support.)

A serious issue

The idea of a hacker attacking light bulbs, fridges or other appliances might seem silly. But any vector that can be used to launch an attack will be taken advantage of.

Look no further than the massive Target breach, where hackers came in through a connected HVAC supplier.

To protect yourself from IoT attacks, make sure to:

  • Talk with facilities. Many of these newly connected devices are designed to improve efficiency of facility systems. Make sure your facilities teams know not to acquire any connected devices until you can vet them for security.
  • Consider multiple networks. If connected devices are coming into your workplace, you may want them on a separate, secure network that can’t connect to existing infrastructure.
  • Stick to trusted providers. Lifx may have an interesting product available, but it’s not exactly an established name in the industry. If purchasing connected devices, go with companies that you trust and that have support in place for security and firmware updates.