Tuesday, July 8, 2014

All your light bulbs are belong to us

Yeah, I've been saying forever that security for the "Internet Of Things" isn't an afterthought, it's not thought of at all.  It seems that some of the Smart Lads decided to have a go at one of the new fangled WiFi enabled light bulbs.  Hilarity ensued:
Loading the firmware image into IDA Pro, we could then identify the encryption code by looking for common cryptographic constants: S-Boxes, Forward and Reverse Tables and Initialization Constants. This analysis identified that an AES implementation was being used.

AES, being a symmetric encryption cipher, requires both the encrypting party and the decrypting party to have access to the same pre-shared key. In a design such as the one employed by LIFX, this immediately raises alarm bells, implying that each device is issued with a constant global key. If the pre-shared key can be obtained from one device, it can be used to decrypt messages sent from all other devices using the same key. In this case, the key could be used to decrypt encrypted messages sent from any LIFX bulb.
Those of you who deal with Tech are already in full Face Palm mode.
References to the cryptographic constants can also be used to identify the assembly code responsible for implementing the encryption and decryption routines. With the assistance of a free software AES implementation [7], reversing the identified encryption functions to extract the encryption key, initialization vector and block mode was relatively simple. [My emphasis - Borepatch]
Shared secret is bad, mkay?

Le sigh.

[Uses the patient voice reserved for talking to beloved but slow children]

You see, Punkin, this is why we can't have nice things on the Internet.


Anonymous said...

One of the presenters at a security conference a couple of years ago talked about the lack of security in the "Internet of Things". He was more outraged that lightbulbs would be using IPV4, but he did discuss how little to no, or worse, bad, encryption on light bulbs and thermostats could cause big issues.

As for me, I'm happy to have my 1950's technology in my 1940's house.

NotClauswitz said...

I really don't like Internet enabled car-type vehicles festooned with gadgets and run by RFID chips. Stay off my motorcycle.