Smart LED lightbulbs are pretty cool, like the Link bulb from GE and the Philips Hue. How are they cool? Well in case you haven’t been following the news, what makes these lightbulbs pretty awesome is that you can control them via your smartphone. You can adjust its brightness, when to turn on, and in the case of the Philips Hue, even adjust the color.
However it seems that due to these bulbs requiring to connect to your WiFi network, it has been discovered that your WiFi passports can actually be stolen by hacking the bulbs themselves, meaning that someone could potentially latch onto your home or even office WiFi network without you knowing.
This was recently discovered by white-hat hackers who managed to hack the LIFX smart lightbulbs. The LIFX lightbulbs were a Kickstarter project from back in 2012 which managed to raise over $1.3 million, surpassing its original goal of $100,000. According to the hackers, they exploited a weakness within the lightbulb’s firmware that allowed them to obtain the password of the WiFi network it was connected.
This was possible due to how the WiFi’s credentials were pass from one bulb to the other over a mesh network powered by 6LoWPAN, a wireless spec built on the IEEE 802.15.4 standard. While the bulbs did use AES to encrypt the password, the pre-shared key never changed, which helped hackers decipher the payload.
Thankfully LIFX has since updated its firmware. It is unclear if other bulbs from the likes of GE or Philips could be subject to similar hacks or vulnerabilities themselves, but it does raise questions and concerns regarding the security of connected household objects.