Vulnerabilities in Wi-Fi Light Bulbs – Hype or Opportunity?

Recently, a series of vulnerabilities in a brand of Wi-Fi lightbulb were reported.  I lean on the skeptical side of such stories as they are sometimes over-hyped to stoke fear and draw clicks. Fear and clicks lead to sales, so follow the money. In this case, the hype is real in certain situations and the opportunity for secure destruction service providers will only grow.

In a nutshell, these vulnerabilities are the result of a design in the lightbulb circuitry that allows the wi-fi password of the user to be revealed, as well as the authentication keys that interact with the manufacturer’s cloud-based servers. I’ll save you the geek-speak and the time by saying that this is a problem. Many in the IT world might read this and focus on why this can’t happen to them, or why it wouldn’t be a big deal if it did happen to them. I looked at it from a bigger perspective and started asking myself what this means to the destruction industry as a whole.

To exploit these vulnerabilities, physical access to the inner circuit board of the light bulb is required. Few of us run the risk that someone would come into our home or business, take apart one of our wi-fi light bulbs, solder wired to the tiny circuit board, and steal our wi-fi password. But at the end of life, those who take custody of these light bulbs will possibly hold keys to our home and business networks. And to the layperson, the steps to accessing this data may look difficult. For the average person with a little experience in hardware, basic coding skill, and the ability to follow directions, this would not be challenging at all. In addition, if I were to have many of these bulbs, I would have the opportunity for multiple tries at the data.

The mechanism by which these bulbs connect to wi-fi and then connect to the cloud that supports their remote operation probably isn’t unique in the Internet-Of-Things (IoT) world. It is a cheap, reliable, and effective technology. In addition, it is simple. For the biggest market share in the IoT market, a device must be easy enough for everyone to use. It is completely reasonable to expect that this same combination of the circuit board, firmware, and onboard credential storage is probably in many, many things. From smart robot vacuums (which also store the floorplans of the places in which they are used), to wi-fi controlled space heaters, to smart coffee makers and slow cookers, far more than just light bulbs are probably at risk.

When high profile people dispose of or donate their personal IoT devices, will they think about these possibilities? When IoT devices in organizations reach the end-of-life, will security managers consider these new risks? For a while, the answer is probably not. Right now, many organizations still do not routinely scan, review, and know all devices that are connected to their networks, wired or wireless. Who can uniquely assist these people and organizations with these risks? Certified Information Destruction practitioners, that’s who. And therein lies the opportunity. Yes, it can be mind-boggling to think of all the things that get connected to the internet these days. But that means we are in no danger of becoming irrelevant any time soon. Form factors will change, IT will keep getting smaller. But today, the safest assumption to make is that if something powers up, it might contain data, or it might be an entry point for unauthorized system access. If either or both are true, the device must be considered for secure destruction at the end of life.

I lean on the skeptical side of such stories as they are sometimes over-hyped to stoke fear and draw clicks. Fear and clicks lead to sales, so follow the money. In this case, the hype is real in certain situations and the opportunity for secure destruction service providers will only grow.

If you are like me and embracing all things IoT, how do you protect your home and business networks while still taking advantage of all the benefits that our connected world brings? Here are no- and low-cost recommendations to stay safe:

• Always make your passwords/passphrases strong and unique
• Store passphrases in a password keeper
• Always change the default usernames and passwords on network gear
• Create a separate network segment for IoT devices only
• Consider using a VPN on your devices when available