How the Grinch Stole Your Christmas Lights

How the Grinch Stole Your Christmas Lights: Leaky LED Bulbs Could be Remotely Controlled

Unsecure LED light bulbs could be remotely hijacked and potentially leak your password.

Internet of Things (IoT) devices for the home continue to be popular, and many people may be considering buying more smart home gadgets this Christmas. It seems that every device now has a smart version that can be integrated into the home network, from microwaves to showers, from heating to smoke detectors.

Symantec constantly analyses the risks associated with IoT devices and their various possible attack vectors. Symantec recently came across some security issues in a remote-controlled, full-colour LED light bulb. It’s a low-priced brand that can be bought at many online stores and is easy to use and integrate with popular voice-activated smart assistants. In order to set up and use the light bulb to its full extent, the user has to install a smartphone app and create a free account. The light bulb will then be added to the local WiFi network and can be controlled remotely through the internet.

Leaking the login

The first thing Symantec noticed while analysing the network traffic was that the smartphone application was mostly using plain HTTP requests to interact with the backend in the cloud. Only a few requests, for example to register a new user or to log in, were sent encrypted over HTTPS.

This means that anyone with access to the network could potentially sniff this traffic and brute-force the password hash. If the password is not very complex, there is a very good chance for the attacker to crack it. To make matters worse, the application does not provide an option to change the password; once the user has chosen one, it is fixed. Equipped with this data, an attacker could log into the account and take over all of the user’s light bulbs.

Turning off the lights

Once a remote-controllable device is found, an attacker can interact with the device. This action does not require knowledge of the password. Similar to the enumeration weakness, all that is required is an authenticated session and the MAC address of the device. Each light bulb can be controlled by multiple users and can therefore also be linked to multiple accounts. Once the connection is established, the attacker can turn the lights off or on, change the colour, or rename it. The attacker gains full control over the lights, just like it was their own home.

Mitigation

Buyers of such IoT devices need to be aware of the potential risks they expose themselves to. As attacks go, having your smart light bulbs remotely controlled by an attacker might not be so severe, but it could be unsettling nonetheless, and it could be only the first step in a bigger attack scenario. Thus, make sure to follow some of these basic guidelines when installing smart devices over the holiday season, so attackers will not be able to turn off your Christmas lights:

• Change any default passwords during installation.
• Use a dedicated account with a strong password to set up the devices.
• Update the firmware and the smartphone apps whenever there is a new version released.
• Consider whether the device needs internet connection or the local network is sufficient.
• Verify if the configuration of the device matches your needs.
• Turn off unused or unwanted features and services, like remote control.

To read the full Threat Intelligence Report please go to https://www.symantec.com/blogs/threat-intelligence/leaky-christmas-lights-hijacked

If you would like to speak with a Symantec spokesperson please let me know.

ends

© Scoop Media