Τετάρτη 16 Ιουλίου 2014

Οι λαμπτήρες Smart LED μπορούν επίσης να παραβιαστούν – Ευπάθεια εκθέτει κωδικούς Wi-Fi

Μέχρι τώρα, έχουμε δει πώς διαφορετικές έξυπνες οικιακές συσκευές, όπως ψυγεία, τηλεοράσεις και δρομολογητές θα μπορούσαν να εκθέσουν τα προσωπικά δεδομένα μας, αλλά τώρα μπορείτε να προσθέσετε ακόμη μια ανησυχία στον κατάλογο, τους λαμπτήρες LED. Μην γελάτε! Είναι αλήθεια.


Ερευνητές στο Ηνωμένο Βασίλειο από την εταιρία ασφάλειας Context έχουν διαμορφώσει μια επίθεση εναντίον λαμπτήρων που συνδέονται μέσω Wi-Fi, οι οποίοι είναι διαθέσιμοι για αγορά στο Ηνωμένο Βασίλειο. Η επίθεση μπορεί να εκθέσει τα διαπιστευτήρια του δικτύου Wi-Fi, που χρησιμοποιούνται για τη λειτουργία τους, σε οποιονδήποτε με προσβασιμότητα σε μία από τις LED συσκευές.

Οι ευπάθειες ασφάλειας εντοπίστηκαν στους  λαμπτήρες LIFX Smart, που μπορούν να ελέγχονται από συσκευές που βασίζονται σε iOS και Android και να επιτρέψουν σε έναν εισβολέα να αποκτήσει πρόσβαση σε έναν «κύριο λαμπτήρα». Με τη βοήθεια του, ο επιτιθέμενος θα μπορούσε να ελέγξει όλους τους συνδεδεμένους λαμπτήρες, του εν λόγω δικτύου, και να εκθέσει τις ρυθμίσεις δικτύου του χρήστη.

 

Hackers find security weaknesses with the Lifx smart LED

A team of security experts in England recently hacked their way into a smart home's Wi-Fi network. Their inside man? The Lifx color-changing smart LED.

As first reported by LEDinside, Context, a UK-based consulting firm specializing in security, recently demonstrated an exploitable weakness within Lifx's mesh networking protocol, prompting Lifx to put out a quick firmware fix.

Initially a success on Kickstarter, Lifx smart LEDs are now available in the US, Australia, and throughout much of Europe and Asia. The bulb's stock is largely seen to be on the rise after it raised $12 million (about £7 million pounds, or just shy of AU$13 million) in Series A funding from venture capitalist firm Sequoia Capital in June, shortly before being showcased for its third-party integration into Google's Nest-centric smart home ecosystem.

In a typical Lifx setup, one bulb will automatically serve as the "master," communicating directly with your smartphone and then relaying all info to other "slave" bulbs. Context's team was able to hack their way in by posing as a new slave bulb and tricking the master bulb into sending them Wi-Fi credentials -- the last thing you want a hacker to get their hands on.

On top of that, nothing that Context did raised any red flags within the Lifx network, or on the Lifx app. There wasn't even a notification that a new bulb was asking to join the network.

The Wi-Fi credentials shared by the master bulb were encrypted, but Context's team was able to decrypt them rather easily using Lifx's own reverse-engineered firmware.

Even more alarming was the fact that the decryption protocol Lifx bulbs were using to decode these credentials was a global one. If a hacker were to get their hands on it, they'd essentially have a skeleton key capable of letting them into any network that uses Lifx bulbs.

Don't race to uninstall your smart lighting just yet, though. Context immediately informed Lifx of the vulnerability, then described the tech start-up's response as "proactive." A firmware update that claims to eliminate the problem has already been issued.

The update also instituted a new, non-global method of decryption that's based off of the specific Wi-Fi network in question. That should put an end to any skeleton key concerns.

In addition, Context admits that the hack isn't the most practical one that they've seen, since the attacker would need to be within wireless range (about 30 meters) in order to pull it off. Still, if you're a smart-lighting enthusiast with an out-of-date Lifx app, now would probably be a good time to update.

http://www.cnet.com/news/hackers-discover-security-weaknesses-within-the-lifx-smart-led/ 

 

ΠΗΓΗ: id-ont
Load disqus comments

0 σχόλια