Updated article to include a slight amount of technical descriptions.
Internet connected devices are known to be vulnerable, but what would happen to an IOT light bulb that was hacked? Most would do things that aren’t harmful to the users, mostly because they lack the knowledge of how dangerous IOT devices can be.
We were asked to hack an internet connected light bulb per the request of the giant tech company who made it. Yes, an internet connected light bulb. We were testing the security of the light bulb when I started to wonder about a feature that the light bulb had. This feature allowed for people to remotely increase or decrease how bright the light is. Cool, but did they put rate limiting in place for the light bulb, so it can’t exceed a level of voltage that would make it explode and shatter everywhere? My hypothesis was that they most likely did not put rate limiting in place, so this light bulb should be able to explode.
This was my hypothesis, which we tested, since the person we were co authoring the exploit with had a secure environment to try and make the lightbulb explode. The light bulb was put in a box to make sure no one could be harmed if the light bulb exploded and shattered everywhere. It certainly did work, the glass shattered inside the box as the light bulb exploded due to a lack of rate limiting, which would’ve stopped this attack.
The lightbulb let you change the voltage via your phone. We used a well known software program for information security professionals called burpsuite to alter the request going to the light bulb and changing the amount of voltage it was to send from the maximum limit that the app allowed to a level of voltage that made the light bulb shatter.
What would happen if someone hacked the light bulbs across the homes of people who used it? They would be harmed at best, however this is not a laughing matter, especially due to how bad the security was. There were hard coded passwords and the email account associated to the development work for the lightbulb that were accessible on github. No, we are not joking. Sadly this is the reality we live in. A highly insecure reality with companies making it even more insecure by not fixing the most basic issue, which in this case was rate limiting.
Due to how vulnerable the light bulb was, it is and was absolutely unsafe. Unsafe to the point that we don’t believe it belongs in people’s homes. Fortunately the company announced in March 2017 that they had discontinued the sales of these lightbulbs. But they are still supporting the light bulbs that have already been purchased. The issue was reported, but we do not know if it was fixed or if these light bulbs still are still able to shatter.
This is only one internet connected nightmare device that we have audited. Our conference called Critical Con focuses solely on security flaws that can harm, kill, or assault the users and ways to possibly solve these issues September 15th and 16th in Westlake Village, California. If you would like to speak or would like to come, go to the website https://criticalcon.com.