Discarded smart lightbulbs reveal your wifi passwords, stored in the clear

Originally published at: https://boingboing.net/2019/01/29/fiat-lux.html


Another good reason to use a VPN - WPA2 PSK means over time more and more people have your PW and thus all can decrypt your traffic. (And people are nudged not to change the PW or they’ll be forced to update all the shit in their house)


Indeed. For a determined attacker, WPA2 on your wireless AP does not present a significant barrier.

The plus side is this: Determined attackers are vanishingly rare. Remember when the advice given here was to run your AP open? Yeah, it’s been a while…

I run my open, but hidden SSID. Great for old device compatibility, and weeds out the vast unwashed hordes of Wifi borrowers.


This doesn’t help with the various trash devices in your life; but there’s always WPA2 non-PSK.

Setting up RADIUS isn’t notably messier than setting up your own VPN endpoint; and the alternative is trusting one of the…many fine vendors…in that market. Plus; using a VPN out of your network breaks any connectivity you might want between devices on your LAN. Printers, fileservers, that sort of useful stuff.

Running multiple SSIDs with their own security and routing arrangements is also rather cheaper than it used to be. No reason for the IoT trash in the smart lightbulb slum to share a key with anything you care about.


Luckily HTTPS is more common. Especially since fucking Netflix and Amazon Prime both insist I turn off the VPN. I’ve been using Tor more for that reason, but sadly if you resize the Tor window you’ll reduce your anonymity…

I print so rarely I just go to a public library or do it at work. I agree that’s a solution but as I get older my time is valuable and ain’t nobody got time for that.


It’s too bad that essentially no consumer devices spring from the somewhat more paranoid heritage of fed encryption widgetry.

I’m guessing that I’d be less happy about, among other things, the price tag; but just look at the lovely ‘zeroize’ button on something like this puppy, right near the fill port:

No need for some awful app or cloud thing to tell it a secret; that’s a hardware feature front and center(literally, given the location of the fill port). Time for it to learn that forgetting is the only way to keep a secret properly? Just tap that delightful red button 3 times…


I can remember years ago when I’d be driving down the road in a city and wanted to check my email without a broadband plan. I set my laptop to search, find an open wifi, pull over to the curb, and download my email.

I probably did that a good hundred times over the years. Alas, those days are gone.


That’s why you should only give your lightbulbs guest access.


Wait. Just stop for a moment. I… uhh…

Could we go back to the part about … the… internet… enabled… lightbulb?!?!?


Just installed a few to avoid running wiring for switches. Saved a few thousand bucks in electrician fees. All I needed was a power source. Yes indeedy now can control the whole lighting system from anywhere.

As much as they are going for I won’t be discarding them anytime soon but, I now know to smash the hell out of them.


Needs a DIN adaptor to impress your passengers! :rofl:

wily dumpster-divers

Great name for a band.


That’s how I discovered I had wifi the first time when I took my newly issue work laptop home. We used cables with the Internet router I had at the time; all I could get at the time was dial-up or ISDN.

I’m just about done setting up the laptop and I’m happily browsing the web when I realize I hadn’t plugged in the cable.

1 Like

If someone found this lightbulb at a dump or recycling facility, would driving around the city searching for the correct network be the only way to execute the hack, or is there a SSID map they can use? If there is, does that mean there is a security benefit to using a common, generic SSID?


There are a few public WiFi maps, and that data is also collected mapping and geolocation vendors because it’s helpful for getting faster location fixes(Google’s street view cars got in trouble see time back over exactly how much traffic they were collecting; but they aren’t the only ones and SSID collecting itself has never been seriously challenged); so any adversary who cares can probably look you up.

As for generic SSIDs, less helpful than one would hope. The SSID is the configurable friendly name; but the BSSID(roughly speaking the access point’s MAC, and similarly intended to be unique and not changed) is what you would use to actually ID the network and it doesn’t change regardless of SSID chosen.

Calling your network “Linksys” might keep the casual at bay; but the casual aren’t the ones dumping lightbulb firmware.


Yeah I can see how that might work. I just need… to smoke a little more weed… and yes… yes. I can see how this might work!


Wifi for each lightbulb is ridiculous. There are many better less power-consuming IoT-protocols like Zigbee (used by IKEA’s Tradfri) or Z-Wave.

Well, I’m happy to have never owned a “smart” lightbulb!

To be frank, I don’t really see the use case. Hitting the switch will always be good enough for me.


Are there still good techniques out there for WPA2(the real one; not that ‘TKIP’ nonsense)with WPS disabled?

Back in ye good olde days I remember that there were some WEP weaknesses that could allow you to infer your way in to a network, given some chatter to work with, pleasingly quickly; but that things were tightened up considerably once TKIP got tossed like the shoddy interim hack it was; and that most reports of WPA2 trouble surround WPS rather than WPA2 itself.

Boring old dictionary attacks can probably still knock over a lot of networks pretty quickly, bad passwords will probably be humanity’s most durable legacy; but that’s not a very elegant sort of attack.

1 Like

It certainly isn’t optimal; but it’s almost impressive how thoroughly the technically-vastly-more-suitable options have languished in confusion and obscurity(even the theoretically non-proprietary ones still tend to be quirky and haphazardly supported enough that they are usually used in the “works with the other items in the box it came in!” way rather than the “works with Zigbee stuff!” one); while WiFi has powered through(or powered down, that bring one of the big issues) the fact that it’s an atrocious fit for the job to put in some surprisingly credible options(an ESP8266 or friends isn’t coin-cell material; but it certainly does wifi vastly cheaper and.lower power than the standard’s heritage in way punchier hardware would suggest) while still being able to talk with basically all the devices because they have wifi.

The assorted protocol bridge pucks aren’t the end of the world or anything, and allow you to use something more suitable on the endpoints; but it’s always a bit astonishing how something like zigbee remains effectively impossible to find on an ordinary computer, phone, or tablet(though connecting dev hardware isn’t hard) and bluetooth, while much more widely available, remains rather eccentric in a lot of cases.

Somehow the expensive overkill has become the reliable lowest common denominator.