Light bulbs hacked; it’s funny, but it’s not

ContextIs.com (click for their report)
ContextIs.com (click for their report)

It’s a question I think about a lot: Are we moving towards a world that’s safer or more dangerous?  More or less secure? This week, the “less secure” side scored another goal. Light bulbs can be hacked.  Doing so seems like a rather silly science fair project until you think about what it really means.

London-based security firm Context has taken an interest  in fragility of the Internet of Things, as we all should.  As a refresher, the Internet of Things simply means wireless chips will soon be placed in many items in your home, and these will all talk to the Internet and each other.  It’s not science fiction; it’s more like George Jetson. Whiz-bangy light bulbs sold by a firm named LIFX are among the first Internet of Things products. The bulbs talk to each other, and can be controlled with a smartphone.  Neat, I guess, in a chia pet sort of way. (Click on! Click off!)

Context took the things apart and found that a hacker could trick the bulbs into surrendering control to a stranger.  Essentially, bad guys can hop on the bulb users’ WiFi network and take control of the bulbs.  If you look at the firm’s website, you’ll see how much trouble it went to in order to turn a victim’s lights on and off.  Also neat, I guess.  The hack comes with a strong mitigating factor; the hacker must be within 30 meters of the target to start the surprise disco effect.  So state secrets are not at stake.

But here’s what you should think about.  LIFX seems like a responsible enough outfit. It isn’t Yo, that’s for sure.  The bulbs actually came loaded with AES (Advanced!) encryption. So the engineers actually thought about this problem. But the bulbs all shared the same underlying encryption key. Hack one, hack them all. That’s what Context did.

LIFX, by all accounts, reacted quickly to the hack and has issued a fix. Great, I guess. Happy ending?  Not by a long shot. I promise you, this pattern will repeat itself again, and again, and again.  There is no model currently that requires firms inventing cool stuff to make it safe. Features first, safety last. If ever.

Therefore, our world will soon be full of really creative devices full of fatal flaws.  It’s always been this way — features over safety — but when vulnerabilities were limited to personal computers, there were some real-world limits on how much trouble consumers could get into.  When the threats are in everything, as they will be with the Internet of Things, watch out.  Here’s a thought exercise.  What happens when it’s not the light bulbs, but rather the power outlets, that are “smart” and can be hacked?  

This is why I made much ado about the nothing piece of software called Yo that had its 15 minutes of fame a few weeks ago.  Quick refresh: Yo is Twitter in two characters. Participants send single, two-character messages using Yo. It got a flurry of attention, allegedly a flurry of investment, and then hackers figured out they could download all personal information anyone had given Yo.   The firm that made Yo bragged that it was programmed in a day. The Internet of Things will be full of gadgets programmed in a day, full of basic, serious flaws, unless something changes. 

Sign up for Bob Sullivan’s free email list.

 

About Bob Sullivan 1054 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.