LIFX Smart Bulbs May Reveal Your Wi-Fi Password

UPDATED 1:55 p.m. EST Jan. 30 with additional statement from LIFX, plus a statement from Tuya.

LIFX Mini smart bulbs have some pretty dumb security, a pseudonymous researcher says.

Image credit: Monica Chin/Tom's Guide

(Image credit: Image credit: Monica Chin/Tom's Guide)

The bulbs store Wi-Fi access passwords in plaintext, have no security settings and hard-code a private encryption key right into the firmware, according to researcher Limited Results, who posted a report about the LIFX Mini on his or her blog earlier this month.

The Wi-Fi password is the least worrisome thing here, believe it or not. Your enemies would have to steal a bulb from your house (or from your trash), take it apart and connect the bulb's circuit board to a computer to get that password.

Potentially far worse is the private encryption key, which Limited Results reveals in a screenshot on the blog. If all LIFX Mini units use the same key to authenticate firmware updates (and we don't know if they do), then bad guys could create a phony firmware update to massively hack all LIFX Mini bulbs -- and get thousands of home Wi-Fi passwords at once.

The upshot of all this: At the very least, don't throw your dead LIFX Mini bulbs into the trash intact. Smashing them up into small pieces might be better. We're waiting to see if the hard-coded private encryption key can be used to update the firmware on more than one bulb.

Tom's Guide has reached out to LIFX for comment, and we will update this story when we receive a reply. (UPDATE: LIFX did respond, twice. See end of story.)

MORE: How to Secure Your (Easily Hackable) Smart Home

Getting all these details was moderately difficult for Limited Results, who appears to be posting from somewhere in western Europe. He or she bought a LIFX Mini for 30 euros on Amazon, set it up as one normally would and then took it apart to get to the bulb's circuit board.

Using standard hardware-hacking tools, Limited Results booted up the board, dumped the firmware to a computer and analyzed the code. The name and WPA2 password of Limited Results' Wi-Fi network were easily found.

Limited Results then checked the firmware's internal security settings and found that, well, there really weren't any.

"This device is totally open," wrote the researcher, who has also investigated Tuya and Yeelight smart bulbs.

And for the piece de resistance: "Root certificate and RSA private key are present into the firmware," Limited Results posted.

"Oh Jesus," he or she concluded. "I decided to stop the investigation after that."

LIFX Mini bulbs work with Amazon Alexa, Apple HomeKit and Google Assistant. Unlike some other smart bulbs, they connect directly to a home Wi-Fi network rather than through a hub.

Limited Results says he or she tried to contact LIFX about this last May, but got no response until after trying again in October. LIFX apparently confirmed the results and got Limited Results to agree to a 90-day hold before Limited Results disclosed the problems. The 90 days ended Jan. 23.

UPDATE 8:00 p.m. EST Jan. 30: LIFX replied to our queries with the following statement: "We have addressed the issues detailed in the Limited Results article during the end of 2018, and we will be releasing a statement later today providing more information on the actions carried out."

UPDATE 1:55 p.m. EST Jan. 31: In an additional message, a LIFX representative stated that the Wi-Fi network password was now encrypted in LIFX firmware,  new security settings had been applied, and the root certificate and RSA private key were also encrypted.

Furthermore, LIFX added, "the private key exposed by this research is NOT used to sign firmware updates."

"It is used for securing the onboarding process, e.g. connecting your light to your Wi-Fi network, to prevent a malicious actor making a device that pretends to be a LIFX light," the LIFX spokesperson said. "The private key is used in all LIFX Mini units at this time, but it has now been replaced with a new private key that is encrypted."

A page detailing the LIFX security fixes, along with a thank-you to Limited Results, has been posted, and an email contact has been created at security@lifx.com.

Tuya also contacted us to state that the vulnerabilities in its smart bulb, which Limited Results earlier revealed, had been fixed.

"We finished technical updates for all known issues and the Public Software App is now available on Google Play and App Store," a Tuya spokesperson said via email. "Customized Software Apps for each client are scheduled to be upgraded separately during the beginning of February. On the hardware end, the upgrade package is ready, and we are scheduling a time with all of our clients to work with a specialized Tuya tech complete the upgrade."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.