This post was written by Keith Dawson for UBM Tech’s community Web site All LED Lighting, sponsored by Philips Lumileds. It is archived here for informational purposes only because the All LED Lighting site may go dark at any time. This material is Copyright 2013-2015 by UBM Americas.

2014-07-07

Hacking LiFX

The lengths to which security researchers had to go to hack into a LiFX mesh network were fairly daunting. LiFX has patched the firmware to close the holes.

You may have read about the UK consultancy Context Information Security applying its considerable network cracking skills to demonstrate a vulnerability in the way LiFX had implemented bulb-to-bulb communication. A blog post on the Context site offers a detailed rundown of the cracking of LiFX. It may prove to be territory more familiar to the security and crypto geeks among us than to the lighting specialists.

LiFX's bulb-to-bulb communication takes place over a mesh network built on the IEEE 802.15.4 wireless standard -- the same one that underlies ZigBee. The particular flavor of mesh that LiFX uses is called 6LoWPAN, for IPv6 packets forwarding over a low-power personal area network.

For initial communication from a human, LiFX uses a "master" bulb on the network that speaks WiFi with the portable device and bridges to the mesh-speaking 6LoWPAN. This eliminates the expense (and configuration effort) of a separate WiFi-to-802.15.4 bridge device, at the cost of building such capability into every bulb.

Great lengths
The short form of this story is that the LiFX mesh network proved hackable after major effort, which required the expertise of a knowledgeable and resourceful opponent. A team of security experts would do it, or seasoned hackers, or perhaps tech-savvy criminals. A casual intruder? Not so much.

Here's what Context did. It discovered that the bulb-to-bulb comms were not encrypted, so it was able to inject a simulation of the signal a new bulb uses to announce itself -- as it turned out, without raising any kind of alarm in the LiFX network. This caused the master bulb to send Context credentials to the WiFi network.

These credentials were encrypted. To crack them, the researchers resorted to taking apart a LiFX bulb and identifying two ARM Cortex M3-based integrated circuits (from TI and STMicroelectonics) that handled WiFi and the mesh. Context then tapped into the flash storage on these ICs using a specialist's tool (a JTAG debugger). This produced a binary "blob" that, in theory, contained the secrets Context sought. It applied a reverse-engineering tool, IDA Pro, to this blob and extracted the encryption key, initialization vector, and block mode.

Study in contrasts
We learned last year about a far easier breakin attempt aimed at a Philips Hue network. The amount of effort required to hack the Philips and LiFX networks, along with the companies' responses to the security experts reporting the issues, provide us with a study in contrasts.

In short, LiFX was receptive to the security concerns and worked in cooperation with Context to get them fixed (here's the patched firmware). My impression from the blog writeup is that LiFX was glad to have dedicated security expertise, of an order it did not possess in-house, focused on helping its make its product more solid.

Philips, by contrast, never even responded to researchers' attempts to reach someone who could address a vulnerability.

Security is hard; crypto is harder. The skill sets needed to do them well are, it's probably safe to say, not widespread in companies making gadgets for the Internet of Things. That's all the more reason someone should be home when a white-hat hacker who has just penetrated a device comes calling.

Related post:

— Keith Dawson Circle me on Google+ Follow me on Twitter Visit my LinkedIn page, Editor-in-Chief, All LED Lighting