Vulnerabilities in LIFX lighting bulbs could allow attackers to steal WiFi credentials

• The root certificate of the LIFX device and RSA private key were made available in the LIFX light bulb's firmware.
• LIFX confirmed that all sensitive information stored in the firmware is now encrypted and that they have introduced extra security settings in the hardware.

A researcher reported a set of vulnerabilities in LIFX light bulbs that could be exploited to steal WiFi credentials of LIFX smart lighting owners. The researcher going under the name ‘LimitedResults’ described how the LIFX smart lighting bulbs could be exploited to access everything from WiFi passwords to root certificates.

LimitedResults used the LIFX mini white device which can be controlled via smartphones to adjust the temperature and lighting level at home as a test product for investigation.

The researcher revealed that after installing the LIFX mini white app on an Android device and setting up the WiFi connection, he got hold of a hack saw. After further investigation, the researcher detected that the main component of the LIFX smart bulb is an ESP32D0WDQ6 SoC (system-on-chips) which is manufactured by Espressif.

Three security issues

LimitedResults connected to the LIFX hardware and found out three security issues impacting the LIFX product,

• The first security issue was that the Wi-Fi credentials were stored in plaintext within the flash memory.

“A simple research into the binary file flash.bin using the hex editor or even string/grep command is enough to retrieve the WiFi credentials,” Limited Results stated.

• The second security issue was the lack of overall security measures set in place to protect the LIFX hardware. LimitedResults couldn’t find any secure boot, flash encryption, or any attempt to disable JTAG in LIFX hardware.
• The third security issue was that the root certificate of the LIFX device and the RSA key were made available in the LIFX light bulb’s firmware. LimitedResults disclosed that this was the worst security issue that impacted the LIFX smart lighting bulbs and he decided to stop the investigation after that.

The vulnerabilities have all been addressed

The vulnerabilities were first detected in May 2018. LIFX did not respond to the queries requesting a PGP key to disclose the finding for four months. Later, LimitedResults contacted LIFX via email on October 3, 2018. LIFX acknowledged the email and requested a 150-day disclosure timeline. However, a 90-day disclosure timeline was agreed upon.

LIFX confirmed that the ‘moderate to high’ vulnerabilities have all be addressed in automatic firmware updates that were released at the end of 2018. The company confirmed that all the sensitive information stored in the firmware is now encrypted and that they have introduced extra security setting in the hardware.

“We have already addressed each vulnerability with firmware updates during Q4 2018: #1: WiFi credentials are now encrypted, #2: We have introduced new security settings in the hardware, #3: Root certificate and RSA private key is now encrypted,” LIFX notified.