The recent revelation that an Internet-connected LED bulb could be hacked to reveal Wi-Fi usernames and passwords shouldn’t come as a surprise. Unscrupulous thieves have been stealing seemingly protected intellectual property for years, whether it be software, credit card data, or some other personal or business information. So, you can imagine that with the emergence of a myriad of connected devices defined by the Internet of Things (IoT), evil doers must be rubbing their hands in delight at the thought of the potential mayhem that can be unleashed.
In this case in point, security services firm Context Security undertook a white hat exploitation of a vulnerability in programmable, smartphone controlled LIFX smart LED bulbs. The exploit allowed hackers within close proximity of the bulbs to obtain passwords used to secure the connected Wi-Fi network by sending a command to the compromised bulb with their smartphones. Once commands are received, the credentials are broadcasted from the master bulb to all the other bulbs over a network. Although the Advanced Encryption Standard (AES) was used to encrypt passwords, the pre-shared key never changed, thus enabling hackers to easily decipher the information.
You can read the full post here on Embedded-Computing.com.