LIFX arguably makes some of the best smart lightbulbs available, but a new report indicates they might not be the most secure.
According to a teardown performed by Limited Results, LIFX Mini bulbs store unencrypted Wi-Fi credentials and have no firmware security.
To extract the information, Limited Results had to destroy the bulb to access its logic board. Once connected to the board, it didn’t take long to uncover several vulnerabilities.
For one, the LIFX bulb stores the Wi-Fi credentials in plaintext on its flash storage. Further, the bulb stores unencrypted RSA encryption keys — commonly used in establishing secure SSL or TSL network connections — on the flash storage.
While a hacker would need physical access to the lightbulb to obtain this data, the bulb’s firmware has no security to combat physical tampering. In other words, if you can access the bulb, there’s nothing to stop you from gaining access.
Limited Results informed LIFX of the vulnerability in May 2018 but didn’t receive a response until October the same year. Limited Results agreed to give LIFX 90 days before disclosing the vulnerability.
Update 02/01/2019: LIFX announced that it patched the vulnerabilities in late 2018. You can read more about the fixes here.