Smart devices have become big business, with over $100 billion spent on them in 2019 worldwide. Being able to control lights with voice commands, or set home heating while still on the train home can seem frivolous, but more and more people are finding what seemed like a gimmick is now an important part of their home, letting them save money on energy bills, deter criminals, or alert them when deliveries are made, even if they’re not home.
Within that market, there are two major classes of device commonly used in homes: those that require some kind of hub (mostly making use of Zigbee or Z-wave radios), and those which can be connected directly to a pre-existing Wi-Fi network. The latter class tends to be cheaper, but could present a significant risk to the security of home networks, simply down to a lack of separation between devices and sensitive data flowing across the network.
Wi-Fi enabled bulbs are easy to pick up at supermarkets and discount stores, and can usually be integrated with big name devices like the Amazon Echo range, Google Home, and Apple HomeKit. The initial setup, however, usually requires the installation of a branded app to a phone with access to the appropriate network, and these apps are a very mixed bag, in security (and functionality) terms.
Commonly, smart bulb apps from smaller manufacturers request a wide range of permissions on the phone, giving them access to microphone, contacts, and location data, and usually require internet access to enable features such as controlling lights remotely, or linking the bulbs to voice assistant services. Similarly, the bulbs themselves often either open a network connection to a remote server, or require ports to be opened on home routers – this can even be performed transparently to the user with many home routers. They also have to hold the Wi-Fi network password in order to be able to reconnect, and as a convenience function, some manufacturers send this to remote servers associated with specific devices. This makes both individual bulbs and manufacturer servers targets for attackers – with bulbs installed in accessible locations, such as porches or garden lights, and services containing location data particular points of interest.
Similarly, there is little oversight of the firmware running on the bulbs themselves. They are often based around off the shelf Wi-Fi modules, which have the capability to be upgraded remotely. Manufacturers can use this to push updates to the firmware, and there have been cases of firmware updates being performed in an insecure fashion, allowing unofficial firmware to be installed on the devices. This can be intentional, such as when a user chooses to install an unofficial version to enable some feature that the manufacturer stock firmware does not support, but unless this remote update ability is limited to being triggered by someone with physical access to the device, there is little to stop remote attackers from abusing it. Due to the limited power of the devices, it is likely that attacks which could be deployed would be along the lines of enabling Distributed Denial of Service attacks against third parties, rather than stealing end-user bank details.
Hub based systems are not immune to security flaws, but do tend to reduce the attack surface – rather than multiple devices making connections to the wider internet, the hub performs this function, passing appropriate data over the local low-power network to end devices as required. Additionally, the devices themselves do not have direct access to the internet.