IoT Christmas lights. Festive security issues?

Jack

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
xmas0.png


When you’re taking your Christmas decorations and lights down today you might be thinking about whether you’ll upgrade next year to one of the various brands of ‘smart’ festive lights with smartphone integration.

This year we aren’t overwhelmed with choices in the UK (though even ASDA is selling them now) so we imported some from the US to see what their security was like.

Overall, there isn’t much of an actual threat to our security, but the security of the lights themselves is a bit of a joke. Worst case I can currently see is that a rogue neighbour or passer-by turns them off or makes them flash differently.

That said, we think there may be a route to force some sets of lights to flash at frequencies that could cause issues for people who experience photo-sensitive epilepsy.

I haven’t yet found a set of lights that act as a client on a wireless network, or communicate over Bluetooth with a home network hub, so none of these devices would compromise your home security.

Premier Decorations “SmartBrights”
These are one of the very few Wi-Fi lights I could find.

xmas1.png


The lights act as an access point. The SSID is PREMIERDEC and PSK is 88888888, (oh, how very Mirai!) helpfully marked up on the control box that you no doubt leave hanging up outside your house

xmas2.png


In theory it’s possible to change both, but the app is really painful to use. The Android app also has read/write/delete permissions for USB storage?? I suspect that most users will leave the SSID/PSK default. WiGLE API seems to confirm this:

xmas3.png


Why they’re left in AP mode, I don’t know. This makes the user experience awkward – disconnect from home Wi-Fi, reconnect to Christmas lights, change their flashing mode.

This also exposes the control module to a LOT of traffic as all of your apps will see it as a gateway and hammer it. We had a similar problem with the Mitsubishi Outlander.

What a waste of time. IoT vendors clearly know how to exploit the geek in us all!

Zaplites
These are Bluetooth controlled rather than Wi-Fi. Guess what… there’s no pairing security.

xmas4.png


So, a rogue hacker in your neighbourhood could control your Xmas lights. Not much of a security issue there, I suppose.

George (ASDA) Home lights
Even more Bluetooth controlled lights and just as little security:

xmas5.png


Scan for lights, no pairing security:

xmas6.png


Oh dear. Not-so-well done ASDA.

It doesn’t really affect your home security much though, as the lights don’t connect to your home network




Read more: Christmas lights. Festive security issues? | Pen Test Partners
 
  • Like
Reactions: jamescv7, Venustus, Sr. Normal 2.0 and 1 other person
You must log in or register to reply here.

Similar threads

Ink
    • +Reputation
    • Like
Philips Hue users will soon require a Hue account and share data for "security reasons"
Replies
0
Views
1,205
News Archive
Ink
Ink
Brownie2019
    • Like
Unlimited Giveaway Fing- all-in-one network monitor for free
Replies
1
Views
995
Giveaways, Promotions and Contests
tharunnamboothiri
tharunnamboothiri
Gandalf_The_Grey
    • +Reputation
    • Like
    • Applause
Intel releases new Wi-Fi driver with fixes for BSOD, yellow exclamation mark, and more
Replies
1
Views
364
System utilities
Can't Decide
C

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top