It's great isn't it, Smart lighting in your house. You tie them into your WIFI network with just your SSID and WIFI password. But once the lights have access, what happens with the info you just entered. As it turns out, your smart light can be used as trojan horse to access your WIFI network.

In a report from Golem, it is explained that Security researcher Michael Steigerwald noticed that the security level of devices like smart lights is minimal. Steigerwald, who has been working on smart homes for years, shows how a neighbor can read the Wi-Fi password from your smart bulb or snoop on a local firmware update on the local network. He has now published a manual and the software used on Github.

Apparently, a lot of gear originate from Chinese manufacturer Tuya, which distributes IoT modules with cloud connection. The provider enables hardware manufacturers to become a smart home provider within a very short time. These are offered appropriate controls and an app whose design can be adapted by the hardware manufacturers. Over 11,000 devices from more than 10,000 manufacturers from 200 countries already use the IoT modules, the Chinese company advertises.

Steigerwald bought several bulbs with a board from the Chinese IoT provider. He registered them via the app in the cloud and could turn it on and off via the app as desired. Then he unscrewed a pear and read the flash memory after some soldering and Esptool. In the approximately 1 MByte memory, he found the unencrypted access data to his Wi-Fi. "I know people who use such bulbs in their garden at home, so the neighbor can just get the light bulb and then learn the Wi-Fi passwords," commented Steigerwald at the 35 Chaos Communication Congress. The manufacturer advertises "Military Grade Security".

He was also able to read several encryption keys from the memory as well as the serial and product number of the light source. He changed the product number and flashed the firmware back. Now he was able to access the pear from another Chinese IoT provider's cloud account, including sensitive data such as location, e-mail address, and sometimes even the user's phone number. In addition, the on and off operations are recorded for seven days, but on request from the manufacturer longer periods are also possible, quoted Steigerwald from the software.

In a next step Steigerwald cut the communication between the light source and the cloud with the tool Wireshark. In addition to mostly unencrypted HTTP and DNS traffic, he was also able to detect encrypted communication by means of the MQTT protocol (Message Queuing Telemetry Transport) common in IoT devices. The latter enables the control of IoT devices in private networks, explained Steigerwald. In a 60-line script, he found the complete cryptography including the used 128-bit AES key. So he could access the keys of MQTT encryption. The data is signed with the unsafe MD5 hash.

In his presentation, Steigerwald demonstrated how he replaced the firmware of the lamp with its own customized firmware. In this way, a Trojan can be applied to the light source, which, for example, derives the access data of the Wi-Fi.

"Yesterday it was still a safe smart lamp and tomorrow it's a Trojan, the user himself just does not get it at all," said Steigerwald.

Smart Lighting Can be Exploited to Access your WIFI network