Discarded smart bulbs are a valuable source of personal information.
Modern users of various devices are mostly representatives of consumer culture. If something breaks, then the owner of the thing just throws it away, without thinking about the possibility of repair, or about cleaning the device, removing its personal data.
Hard disks full of data, phones with contact books and owners data, as well as smart devices with saved passwords and logins are sent to the dump. Since a rare user uses more than 2-3 logins and passwords, such gadgets can be a source of valuable information for hackers.
Despite the fact that such gadgets may seem just garbage, but this, in fact, miniature computers with a wide range of possibilities, one of which is to store previously entered information. And this information is not always harmless for the owner. As an example, you can take a smart light bulb, which was inspected for information security by representatives of the website Limited Results.
The participants in the experiment purchased a smart LIFX light bulb for Amazon for 30 euros and set it up using the appropriate application. In particular, the light bulb was connected to WiFi. Then disconnected and disassembled.
The goal of the experts was to pay - we had to work hard to get it out and remove the glue. The device was then identified as an ESP32D0WDQ6 based mini PC. Module datasheeteat here . SDK and tools are available here .
Fee connected to the FT2232H and began to study.
As it turned out, access from the wireless network was stored in clear text.
In addition, the gadget is generally not protected from outside interference. No encryption, no secure download, nothing.
Moreover, the root certificate and RSA private key were also available. After that, the study of light bulbs completed.
By the way, the specialist did not lay out his work immediately after the discovery of all this. He reported the problem to the manufacturer, waited 90 days and only after that he published everything. Perhaps the company has changed something, but perhaps not. Anyway, the lack of security of modern smart devices is a significant problem that has been talked about and written for many years. But, unfortunately, things are still there.
The vulnerability of the smart bulb of this particular manufacturer is far from unique. Last year, representatives of the above-mentioned site hacked into the device of the company Tuya.
In the same way as the previous instance, the lamp was installed, connected to the wireless network and tested in operation. Here everything turned out fine. After the light bulb was disassembled and connected to the PC.
Exactly the same problems:
- Access to the wireless network was stored in a light bulb in the clear;
- DeviceID and key were stored similarly. Thus, you can easily recognize the MAC light bulbs. In addition, a local key is required for the Tuya Cloud service, so it can be downloaded and used for any purpose. As soon as the deviceID and key are in the hands of an intruder, he will be able to manage the gadget unhindered.
After assembling, the light bulb was easily managed using the data loaded from it.
In general, the problem is not only in light bulbs. Similarly, data is stored in all sorts of smart gadgets of another kind, including cameras, speakers, refrigerators , kettles, pressure cookers , etc. Due to the weak security of devices, hackers easily form botnets, which can be as large as many thousands or even millions of devices. This is done using malware, which, unlike the protection of smart devices, is becoming more sophisticated and dangerous.