- The security flaw lies in the app that is used to control the smart bulbs.
- The attack can turn worse if the hackers get hold of users’ account and brute force them to obtain the MAC address of a targeted device.
A ‘smart’ LED bulb that is connected to Wi-Fi can now put a user’s data at risk. Researchers have discovered that the hackers can remotely hijack this smart version - integrated into the home network - to steal a user’s password and email address.
According to the research by Symantec, the security flaw lies in the app that is used to control the smart bulbs. While analyzing the network traffic of the app, it was found that only a few requests were sent encrypted over HTTPS and that the remaining information was sent in a plain text format.
“The first thing we noticed while analyzing the network traffic was that the smartphone application was mostly using plain HTTP requests to interact with the backend in the cloud. Only a few requests, for example to register a new user or to log in, were sent encrypted over HTTPS,” said Candid Wueest, Principal Threat Researcher at Symantec.
This critical flaw could allow the hackers to access a huge amount of unencrypted private data when it is transferred to the back end in the cloud.
“For example, when the user decides to change the internal name of a light bulb, an unencrypted POST request is sent with the user’s email address in cleartext and the MD5 hash of the unsalted password. This means that anyone with access to the network could potentially sniff this traffic and brute-force the password hash,” Wueest explained.
Worst case scenario
The attack can turn worse if the hackers get hold of users’ account. They can use the account details to brute force the MAC address of a targeted device. For this, Wueest said that an attacker just needs an active session. A successful attempt, can enable an attacker to figure out all possible MAC addresses of a particular vendor and later use them to control the smart light bulbs remotely.
“The API on the back end allows a user to find the user account that is associated with a specific light bulb by sending the MAC address of that device. There is no verification to determine whether the user account used to query a device is actually associated with that device. Therefore, an attacker only needs an active session that has already been authenticated, and can then guess or brute force the MAC address of a target device,”
Wueest claims that Symantec has reported the issue to the manufactures. Meanwhile, users are urged to follow basic guidelines to stay safe from such unwanted attacks. This includes changing the default password during the installation of IoT devices, keeping the smartphone apps updated to the latest version and turning off the smart devices when not in use.