LIFX Mini bulbs store unencrypted Wi-Fi credentials: report

LIFX arguably makes some of the best smart lightbulbs available, but a new report indicates they might not be the most secure.

According to a teardown performed by Limited Results, LIFX Mini bulbs store unencrypted Wi-Fi credentials and have no firmware security.

To extract the information, Limited Results had to destroy the bulb to access its logic board. Once connected to the board, it didn’t take long to uncover several vulnerabilities.

For one, the LIFX bulb stores the Wi-Fi credentials in plaintext on its flash storage. Further, the bulb stores unencrypted RSA encryption keys — commonly used in establishing secure SSL or TSL network connections — on the flash storage.

While a hacker would need physical access to the lightbulb to obtain this data, the bulb’s firmware has no security to combat physical tampering. In other words, if you can access the bulb, there’s nothing to stop you from gaining access.

Limited Results informed LIFX of the vulnerability in May 2018 but didn’t receive a response until October the same year. Limited Results agreed to give LIFX 90 days before disclosing the vulnerability.

MobileSyrup has reached out to LIFX to see if the company has released, or plans to release, a patch for the vulnerability. This story will be updated with a response.

For now, it’s likely safe to keep using your LIFX bulbs, as long as no one gains physical access to them.

Source: Limited Results Via: Apple Insider

The post LIFX Mini bulbs store unencrypted Wi-Fi credentials: report appeared first on MobileSyrup.

from MobileSyrup http://bit.ly/2SeDyq9