The Problem with Throwing Away a Smart Device…
…is that sometimes they aren’t that smart about security.
You wouldn’t take a hard drive and just throw it out in the trash, or put it up for sale on eBay, without at least wiping it properly. At least, you shouldn’t. However you may well still take your dead smart devices and throw them away. But, unsurprisingly perhaps, this turns out to be a bad idea as well.
Last week a teardown of the LiFX Mini white was published on the Limited Results site, and it shows that this smart lightbulb is anything but smart.
In a very short space of time the teardown established that if you’ve connected the bulb to your Wi-Fi network then your network password will be stored in plain text on the bulb, and can be easily recovered just by downloading the firmware and inspecting it using a hex editor.
In other words, throwing this lightbulb in the trash is effectively the same as taping a note to your front door with your wireless SSID and password written on it. This probably isn’t something you should be comfortable doing.
Worse yet both the root certificate and RSA private key for the bulb are also present in the firmware in plain text, and the devices is completely open—no secure boot, no flash encryption, and with the debug interface fully enabled.
It turns out that this particular LiFX bulb is built around an Espressif ESP32 which, as we know, has a sprawling and fairly mature open source ecosystem. But that also means that the security implemented by LiFX for the bulb was inexplicably poor. Because while the recovery of the password and keys was aided by the mature state of the development environment, the ESP32 also supports both secure boot and flash encryption, and the later would have provided “at-rest” data encryption, and stopped the this sort of attack dead in its tracks.
In fact the availability of these two security features is one of the primary reasons to use the ESP32, rather than the cheaper ESP8266, in a production device. If you’re building a smart device, and intend to put it into someone’s home, you shouldn’t ship without implementing them both.
Of course the LiFX is hardly the only Internet of Things smart device to have abysmal security, it’s not even the only light bulb to undergo a teardown by Limited Results, nor the first to store the Wi-Fi credentials in plain text.
I’ve been talking about the security of the Internet of Things for years, and it doesn’t seem to be getting any better. Part of this is due to the business model behind most smart things aimed at consumers, you make a one-time purchase of the Thing itself, but don’t commit to a subscription to support the cloud services that make the Thing “smart” in the first place.
That just isn’t sustainable and it also directly drives the growing problem of Internet of Things abandonware, and has real implications for our privacy.
I’ve argued before that I think we’re approaching securing the Internet of Things in the wrong way, and that today’s unsubtle hacks of our things are probably going to be the least of our worries in the future.
But while there is no way to make a smart device totally secure, that just means that a modern approach to security should be all about defence in depth, rather than any one single security measure.
There isn’t any single measure that can make a smart thing magically secure, but that doesn’t mean you can’t just leave devices entirely open like this LiFX bulb. Just because security is hard, that doesn’t mean you get to ignore it. No matter how unsustainable your business model.
Update: LiFX responded to the story with the following comments,
“A report posted by Limited Results claimed that three categories of security vulnerability exists in our lights. Indeed we have been working in collaboration with Limited Results since he alerted us to these, with thanks, in 2018. In response, we have already addressed each vulnerability with firmware updates during Q4 2018:
#1: WiFi credentials are now encrypted
#2: We have introduced new security settings in the hardware
#3: Root certificate and RSA private key is now encrypted”