Security through obscurity: Smart Light bulb Exposes Wi-Fi Password

A team of British security consultants (Context) hacked their way into a private Wi-Fi network — using Lifx bulbs as the backdoor.

In a typical Lifx setup, one bulb will automatically serve as the “master,” communicating directly with your smartphone and then relaying all info to other “slave” bulbs. Context’s team was able to hack their way in by posing as a new slave bulb and tricking the master bulb into sending them Wi-Fi credentials — the last thing you want a hacker to get their hands on.

On top of that, nothing that Context did raised any red flags within the Lifx network, or on the Lifx app. There wasn’t even a notification that a new bulb was asking to join the network.

Even more alarming was the fact that the decryption protocol Lifx bulbs were using to decode these credentials was a global one. If a hacker were to get their hands on it, they’d essentially have a skeleton key capable of letting them into any network that uses Lifx bulbs.  The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN External Link, a wireless specification built on top of the IEEE 802.15.4 standard External Link. While the bulbs used the Advanced Encryption Standard (AES) External Link to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.

This underscores the futility of relying on obscurity to prevent hacking attacks.

Version 1.1 of the LIFX firmware was unavailable for downloads, making it hard for hackers to reverse engineer it and uncover the types of crypto weaknesses that exposed the Wi-Fi credentials (obscurity). The Context engineers found a way around this hurdle. They undertook the painstaking process of removing the microcontroller embedded inside each bulb and connecting different JTAG pins External Link to special debugging hardware to monitor the signals that were sent when lightbulbs were added or removed to a network. “At this point we can merrily dump the flash memory from each of the chips and start the firmware reverse engineering process,” the researchers wrote.




  • No matter how good you obscure something, somebody will find a way to expose your secrets and exploit them
  • Don’t use obscurity. Instead
    • use proper encryption
    • don’t use default universal passwords/keys
    • change any default secret upon first usage/startup
    • use a secure storage (whenever possible)


Sources: External Link External Link


© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this: