“Armed with knowledge of the encryption algorithm, key, initialization vector, and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the Wi-Fi details, and decrypt the credentials, all without any prior authentication or alerting of our presence,” researchers from security consultancy Context wrote. To its credit, LIFX responded proactively to the discovery by Context. Version 1.3 of the firmware now encrypts all 6LoWPAN traffic using an encryption key derived from the Wi-Fi credentials. It also includes functions for secure processing when new bulbs join a network. But given its warchest of $1.7 million, it’s unfortunate the company didn’t catch the crypto weakness on its own before the bulbs were available for public consumption. Software updates of any type are a hassle for many people, and firmware fixes are often even more difficult or risky. Marketers would have people believe they’re missing out unless their refrigerators, thermostats, and other traditional appliances are connected to the Internet. Yet over and over, these devices have been shown to introduce networking and privacy threats not present in non-networked iterations. Microsoft, Apple, and Google devote huge amounts of resources to ensuring their wares and services are secure. Manufacturers pursuing Internet of things riches would do well to apportion a similar percentage of their means to securing these devices.
