Turning on a “smart” light bulb may be the latest way people inadvertently flood the internet with their personal information.
A new Symantec report has revealed that some of these connected, Wi-Fi-enabled IoT devices are unsecure and can enable a hacker to quickly come away with passwords, email addresses and other important information. While looking at some of the lower-end models, the company’s researchers found that the security in place is far below what is needed for a device that resides on a home network.
In order to obtain the most usefulness from these devices, the owner must download an app and create an account. Then the bulb can be controlled via a phone. However, this is where the first security issue was found.
“The first thing we noticed while analyzing the network traffic was that the smartphone application was mostly using plain HTTP requests to interact with the back end in the cloud. Only a few requests – for example, to register a new user or to log in – were sent encrypted over HTTPS,” said Candid Wueest, a principal threat researcher with Symantec.
This is a huge flaw due to the amount of private information that is transferred during this process. For instance, if the owner changes the name of the bulb being installed, that bit of info is passed along in an unencrypted, cleartext post via email, with the MD5 hash of the unsalted password. This, in turn, could allow a malicious actor with network access to sniff the traffic and brute force the password hash.
One particular product takes its lack of security to another level entirely by not allowing the user to change the password after it is initially set.
If all of this is accomplished, homeowners could find themselves in the awkward position of having their lights controlled by someone else.
But that is far from the worst case scenario: “The API on the back end allows a user to find the user account that is associated with a specific light bulb by sending the MAC address of that device. There is no verification to determine whether the user account used to query a device is actually associated with that device,” Wueest said. “Therefore, an attacker only needs an active session that has already been authenticated, and can then guess or brute force the MAC address of a target device.”
Once this is done, the attacker can figure out all possible MAC addresses for that particular vendor and then find any activated, remotely controlled light bulbs. By conducting a simple GET request, the malicious actor can receive the unique ID number and owner’s email address in cleartext.
These email addresses can then be used for an additional attack on the person or to do something to the bulb. Two other issues – one an actual design feature – open these bulbs up to further problems. To become an official bulb controller, one only needs the MAC address and not the password.
Once this is done a single person can control lightbulbs all over the world, and come away with the user’s email address.
Wueest suggests anyone purchasing one of these products use the limited amount of security available to its fullest by changing the default password, using a dedicated account with a strong password to set up the devices, updating the firmware and the smartphone apps whenever there is a new version released, and turning off unused or unwanted features and services like remote control.