Smart bulbs are expected to be a popular purchase this holiday season. But could lighting your home open up your personal information to hackers?
Earlier this year Amazon's Echo made global headlines when it was reported that consumers' conversations were recorded and heard by thousands of employees.
Now researchers at UTSA have conducted a review of the security holes that exist in popular smart-light brands. According to the analysis, the next prime target could be that smart bulb that shoppers buy this coming holiday season.
"Your smart bulb could come equipped with infrared capabilities, and most users don't know that the invisible wave spectrum can be controlled. You can misuse those lights," said Murtuza Jadliwala, professor and director of the Security, Privacy, Trust and Ethics in Computing Research Lab in UTSA's Department of Computer Science. "Any data can be stolen: texts or images. Anything that is stored in a computer."
Anindya Maiti, Murtuza Jadliwala. Light Ears: Information Leakage via Smart Lights[$]. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2019; 3 (3): 1 DOI: 10.1145/3351256
(Score: 4, Insightful) by SomeGuy on Friday October 25 2019, @11:03AM (20 children)
But the consumertard lemmings that call themselves people will still happily buy this crap and then act all surprised when their personal information winds up in the hands of hackers, or worse. Then they will happily "solve" the problem by going out and buying all new "smart" stuff because new is always better, lather rinse, repeat.
(Score: 1, Interesting) by Anonymous Coward on Friday October 25 2019, @11:44AM (9 children)
So, what we must do is generate open-ish hardware products that can be built with commodity parts from websites like SparkFun [sparkfun.com], AdaFruit [adafruit.com], and what-have-you by a hobbyist. Publish the recipes under create commons or which ever popular libre/socialist, GPL-compatible/inspired license would be applicable. No, we won't be able to achieve wafer thin iShit, but fuck iShit. Create a libre/socialist (GPL) software ecosystem for the Internet of Secure Things. (IoST, where the S stands for security, just like it does in IoT.)
There seems to be a demand here that the capitalist market in incapable of fulfilling in a way that respects the privacy and liberty of the end user.
(Score: 1, Funny) by Anonymous Coward on Friday October 25 2019, @11:57AM
I'm planting my own Ada tree, so I can get my Adafruit for free!
(Score: 3, Interesting) by canopic jug on Friday October 25 2019, @12:04PM (2 children)
A very difficult step there will be to get all the certifications needed so that such a bulb is approved as a consumer device and allowed to be sold, even in small quantities. You can bet that the proprietary bulb makers, who wish to facillitate planned obsolesence as well as lock out competition, would fight that. So would observing third parties, such as M$, which oppose consumer modding and even fight general purpose computing. However, if even one fully certified bulb hit the market with user-moddable or user-replaceable firmware, that would be enough to open the door and perhaps change the market completely.
Money is not free speech. Elections should not be auctions.
(Score: 1, Interesting) by Anonymous Coward on Friday October 25 2019, @03:46PM (1 child)
I think this is pointless fearmongering. These companies are unlikely to have much if any influence on the approval process.
What certifications do you need for a smart light bulb? Probably you need the country-appropriate stamp for mains powered equipment, since presumably the goal is to plug directly into the mains light socket, and you might need FCC or similar local regulatory approval for electronic equipment. In many cases you can self-certify FCC part 15 compliance which I believe should be pretty straightforward if you either don't include a radio or use one of the many self-contained commercial-off-the-shelf radio modules.
Basically you should just have to call up your favourite independent test lab such as Underwriters Laboratory or Intertek, tell them what countries you plan to sell in, they will help you decide what standards to test against and do that testing on a product sample provided. You get a nice report of the test results, and probably this takes a few iterations to resolve issues. Once passed, you get to put the zillion different approval stickers on your product and you're done. Other companies don't participate in this process which is between you and the test lab...
What you will need is money to pay for the independent testing. I would suggest crowdfunding is perfect for this.
(Score: 3, Informative) by canopic jug on Friday October 25 2019, @04:31PM
No, it's not. The ongoing fights against the Right to Repair are well documented. Firmware modding falls into that category. It's not just John Deere. M$ fights the right to repair, so does Apple [soylentnews.org], and pretty much any company that plans to get some short term gain by screwing purchasers [soylentnews.org].
Money is not free speech. Elections should not be auctions.
(Score: 2) by c0lo on Friday October 25 2019, @12:23PM (2 children)
Yeah, right, hobbyist with deep pockets. I prefer to buy uC, sensors and dev-boards on aliexpress, at least 3 to 4 times cheaper - made in Taiwan anyway.
Yeah, right! You're dreaming.
Wake up, what you suggest already happens and guess what? Only hobbyists chose to build them, mainly for themselves. Because, see, a hobbyist is a hobbyist, once he had his problem solved, he's not interested to start a business repeating the same design for mass production when there are so many other new designs to try or to invent.
He'll be happy to publish his design and software and what not, but he will not build it for you.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mojibake Tengu on Friday October 25 2019, @01:19PM (1 child)
Hobbyists with deep pockets buy industrial grade electronics for (home) automation, not consumer grade. Yes, it is fun to build something practical from toy grade electronics too, but often at the cost of inferior electrical properties and unpredictable reliability. Would you rely on your cheap constructions with your life?
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by c0lo on Friday October 25 2019, @05:08PM
Sparkfun and Adafruit are as reliable as the Aliexpress stuff. Only 3-5 times as expensive.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by VLM on Friday October 25 2019, @12:59PM
The people that are getting powned are buying vertical silo devices that connect to big brother and nobody else over the internet.
Anyone who wants something useful has the opposite devices. My hass.io is firewalled off from the internet, has a zwave radio, and I could, if I wanted, buy standard compatible zwave bulbs that can't connect to the internet anyway but can connect to everything connected to my hass.io install, which is a lot of interaction.
Anyone who's capable of or interested in actually useful applications is already using the COTS FOSS(ish) solution and isn't going to care about replicating a slightly less shitty vertical silo.
Essentially what we have in home automation here is the old "BBS vs internet access" battle of the 90s being replayed. There's lots of TV commercials and free CDs for AOL, but nobody wants it and the wide open internet is more useful although there's no TV commercials for it. The more useless the commercial product the more likely there's marketing heavily pushing it because its so obviously useless.
Everybody actually DOING stuff with light bulbs as a UI is already using FOSS and zwave gear, not some internet connected big brother shit they won't have API access to anyway so they couldn't use it if they wanted.
(Score: 3, Touché) by epitaxial on Friday October 25 2019, @01:37PM
No thanks I'm going back to incandescent lights. Winter is on the way anyhow.
(Score: 2) by canopic jug on Friday October 25 2019, @11:49AM (1 child)
The article is devoid of technical details but since I have to guess, I would expect that the hardware in these bulbs is one-off for each production run. That means that the firmware is too. In any case it is improbable that they have designed these things with even a modicum of update capabilities. As such it would be impractical if not impossible to make a generic Free and Open Source firmare kit for the bulbs analogous to the OpenWRT [openwrt.org] project for routers.
You can still tear down and disect a particular model of bulb [hackaday.com] which has features you might find useful, but that is a one-off activity for that unique model.
Money is not free speech. Elections should not be auctions.
(Score: 3, Insightful) by VLM on Friday October 25 2019, @01:09PM
The problem with the industry is its the same people designing, making, and buying equipment regardless if its something like insteon or zwave which doesn't connect to the internet (although you can make buggy and un maintained closed source devices that connect between insteon and zwave and the internet...) vs devices that inherently are just internet connected scada systems that are wide open for the whole world to hack.
Its "OK" that I could never upgrade the firmware on my Insteon switches, either they work or they don't and its pretty simple and nobody can access them but my insteon adapter hub thing connected via serial port ... OTOH, something like an Alexa Echo, that would be a huge problem.
To mess with my zwave system you have to be in radio range of my house or break into something else in my house that has zwave access (that being the hass.io hub system, which doesn't have general internet access so good luck). To mess with a general internet connected IoT device, you merely need to also be on the internet, a slightly larger sized threat model, LOL.
(Score: 3, Insightful) by Runaway1956 on Friday October 25 2019, @11:55AM (7 children)
I'll second the "Smart" stuff is dumb.
Exactly what features does a "smart" light bulb offer? I've never even CONSIDERED the possibility of a "smart light". Let me look for something . . .
I see a useful feature. They can be set to come on and off at some preset time, such as ten minutes before you arrive home from work. I can do that with a simple timer, which I can probably purchase for ten bucks. A seven-day timer might cost a little more, maybe $25, I suppose. Or, I could just set up a cron job on a desktop, laptop, raspberry pi, or whatever to turn the lights on.
https://www.instructables.com/id/Raspberry-Pi-With-Sensor-to-Turn-Onoff-Light/ [instructables.com]
Smart bulbs know when you are nearby? Lights have had motion sensors for a long long LONG time. We have some at work. The forklift refueling station has two, and the dumpsters have four motion sensing lights mounted nearby. No "smart" lights necessary.
The rest of the "features" listed don't really seem to be "features" at all.
http://homementors.com/10-things-need-know-smart-light-bulbs/ [homementors.com]
A person who is at least moderately handicapped may find some of those features to be very useful. But, the average lard-assed American actually NEEDS the exercise associated with turning lights off and on.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 0) by Anonymous Coward on Friday October 25 2019, @12:27PM (2 children)
but that would deplete their life force ...
(Score: 0) by Anonymous Coward on Friday October 25 2019, @12:34PM (1 child)
> life force ...
What does an old Patrick Stewart movie have to do with this topic?
(Score: 0) by Anonymous Coward on Saturday October 26 2019, @09:24PM
It's from the old Gauntlet arcade game. "Yellow Wizard, your life force is running out."
(Score: 4, Informative) by VLM on Friday October 25 2019, @12:51PM (3 children)
I've fooled around with home automation since Misterhouse was new technology (last century) and been thru X10 and Insteon and now use zwave, etc. So I have some experience.
Obviously the silo'd manufacturer provided app is useless because it connects to nothing. Possibly, you could use the vertical silo mfgr provided app to play static games like color temperature matching to painted wall color or some nonsense like that.
In the non-silo'd ecosystem of home automation the primary use I've seen (although I haven't used) is signal reporting. For people that don't want text messages or speech or beeping or whatevs, you have a light near the door or maybe near your clothes closet thats blue when tomorrows predicting cold weather (or rain?) and red when its hot. Or the color means precip and the brightness means temperature. Or dim green means all is well, yellow means no problemo the garage door was left open, flashing red means the water sensor under the clothes washer just triggered.
A smaller subset plays games with holiday accent lighting. October gets orange pumpkin accent lighting. Christmas gets green and blue. Valentines gets red. Green for st. patties day. I guess you shut the bulb off (aka black) for MLK day. For 4th of July you toggle the bulb as fast as possible until the switching power supply explodes. I guess.
Honestly it seems like a lot of work to avoid a literate text interface or speech. But some people like their colored light user interfaces.
(Score: 2, Interesting) by Jay on Friday October 25 2019, @04:07PM (2 children)
I have a half dozen Phillips Hue programmable LEDs. I set them up to perform a sunrise and sunset every day.
Living where the daylight hours changes by 6+ hours over the course of a year I find the consistent artificial sunrise and sunset to be invaluable. Having "sunrise" at the same day every day really sets a more appropriate circadian rhythm than having sunrise slip to after I need to be up in the depths of winter.
Similarly, having the main living areas of the house start dimming towards a red-orange sunset around 8pm and wrapping up around 10:30pm really pushes me to go to bed. Along with f.lux on my computer doing a good red-shift, it's a lot easier to consistently go to bed on time.
While I could sort-of accomplish this with a dimmer and a timer, I adjust the color balance to mimic the sunrise and sunset as well. In the morning by the time the lights transition from deep red through orange, yellow, and towards a bluer white, I'm usually wide awake without an alarm. It's a really nice way to wake up, especially in the winter.
(Score: 3, Funny) by maxwell demon on Friday October 25 2019, @06:15PM
Groundhog day? :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by VLM on Friday October 25 2019, @10:37PM
That's an interesting idea.
As an experiment have you ever tried the visual equivalent of audio equalizing? Its kinda the opposite of what you're doing... I've considered playing with that. So bright lights on the west side of the house for sunrise and bright lights on the east side of the house for sunset to "equalize" light levels.
Another very strange illumination equalization experiment would be putting a window sensor on drapes and regardless of position of drapes the light level in a room could be constant. A strange hack on the multiple purposes of drapes, sometimes for privacy sometimes for light control.
There are practical applications of time based hacks for lighting... my bedroom closet faces west unfortunately and some form of illuminational equalization could actually be practically useful. Flip a switch and regardless of time of day I can pick clothes in sunlight, or something like that. Using hue control bulbs I could correct for red/yellow at sunrise and sunset.
(Score: 4, Insightful) by Rich on Friday October 25 2019, @01:04PM (2 children)
Don't forget kids, The "S" in "IoT" stands for "Security".
But our never resting industry, in it's never ending quest for an improved, family-friendly, and children-safe usage experience, already works on a next generation of great products specially focused on the domestic market, tentatively dubbed "Secure Home Internet (of) Things".
On a more serious note, don't forget that this S.H.I.T. stuff very often means "Philips Hue": Never forget that Philips annoy the world with a trivial patent on PWM-RGB dimming. They don't deserve your business.
(Score: 2) by takyon on Friday October 25 2019, @01:20PM
Internet of ThingSSS
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Interesting) by Anonymous Coward on Friday October 25 2019, @05:46PM
I have long thought the correct term is IDIoT (Insecurely deployed internet of things)
(Score: 4, Funny) by theluggage on Friday October 25 2019, @02:14PM (1 child)
From TFA:
So... let's get this right... these bulbs hook up to my home WiFi, either use UPnP (Universal plug and pwn) to get a forwarded port, or 'dial out' to the manufacturers website (that is already 'no deal' but...) - so a hacker can crack the server/pull a MITM somehow (double no deal - sounds like my hone wifi is now pwned) and turn the lights on and off and hence... what? turn my TV on/off? Hack into my 10-year-old laptop that still has an IR port? That's like... "if somebody stabs you, blood might get into your watch and ruin it".
Okaaay... so not exactly wrong, but missing the point somewhat... but then you say I can mitigate this by buying bulbs that work via a "smart hub" (because they never have any security/privacy problems... even with third-party apps)?
Apparently you can get these little toggle/lever things that you fit on the wall, right by the door, that let you control the lights right when you walk in or out of the room... I believe there are even boxes of tricks that can turn on lights automatically when you walk in, use a remote control or even on a timer if you want to fool stupid burglars and that some of them - by some strange sorcery - don't need the internet at all!
(Score: 0) by Anonymous Coward on Friday October 25 2019, @07:15PM
I downloaded and looked at the paper. The IR modulation stuff they are talking about is using it for data extraction:
So, maybe relevant to James Bond, but I don't think you have anything to worry about unless you're letting him into your house.
(Score: 2) by isj on Friday October 25 2019, @05:22PM (1 child)
I work with building automation so I have some insight.
The problem with light bulbs in most/domestic environments is that they must be easy to replace and cheap to install.
You won't get a consumer to enter a pincode to make a new bulb work. You won't get an engineer in a hotel to enter a pincode to make a new bulb work. You can scream all you want but it won't happen.
Ideally, the firmware/logic would be in the fixtures but that raises the cost of installation and requires an electrician. That is unlikely to happen except for new buildings. Also, new interfaces/sockets would have to be invented because there currently don't exist (eat least not that I'm aware of) any that can do more than just deliver power - the signalling is missing. So you can't control colors, don't know if the LED bulb effectively goes dark when fed less than 30% power, etc.
The article is unfortunately behind a paywall but I can speculate that for zigbee they have looked at the ZLL sub-family and its vulnerabilities (see https://eyalro.net/project/iotworm.html). [eyalro.net]
(Score: 0) by Anonymous Coward on Sunday October 27 2019, @08:53AM
Interesting perspective.
You're missing something though. The powerline is there. Powerline networking is very mature; spread spectrum techniques are not new. The common bus might be an issue for a larger building without enough RI at junctions to attenuate between sections, but I find it hard to believe that light control has such data throughput needs that the bandwidth can't accomodate.
(Score: 5, Touché) by maxwell demon on Friday October 25 2019, @06:24PM
The answer is simple: Does it have "smart" in the name? Then it's not secure.
Maybe "smart" is really an acronym for "Security Missing And Ready to Tap".
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday October 25 2019, @10:04PM
So IOT bulbs have security risks? Gee, who wouldda guessed.
(Score: 0) by Anonymous Coward on Sunday October 27 2019, @01:41AM
UTSA = University of Texas at San Antonio.
(For others like me who have never heard of it)