LIFX fixes light bulb security flaw that stored unencrypted Wi-Fi credentials

Affected LIFX bulbs received firmware and app updates that encrypted exposed data

LIFX bulb

Following a report earlier this week that some LIFX smart bulbs stored Wi-Fi credentials in an unencrypted state, the company says it has fixed the issue.

LIFX worked with Limited Results, which discovered the Wi-Fi vulnerability along with two other security issues, to fix the flaws after the company was made aware of the problem in 2018.

It pushed firmware and app updates to its Mini bulbs and users in fourth-quarter of 2018 to fix the flaw.

Along with the exposed Wi-Fi credentials, Limited Results found the light bulb stored unencrypted RSA keys, which are typically used when securing SSL and TSL internet transmissions. Finally, the LIFX Mini bulbs had no firmware-level security to prevent malicious actors from accessing this data if they tampered with the device.

Following the firmware and app updates, both Wi-Fi credentials and RSA keys are encrypted. Further, LIFX has introduced extra security settings to the hardware.

Customers can update their lights using the companion app by going into ‘Settings’ and tapping ‘Update firmware.’

Additionally, LIFX says customers can change their Wi-Fi credentials, which would render the exposed information irrelevant. The company also recommends doing this as regularly as is convenient to ensure your network is secure.

On top of this, the company released a blog post detailing some basic steps for ensuring network security, such as what to name your Wi-Fi network and what password to use.

You can read more about LIFX work to secure its products here.

Source: LIFX