WiFi-connected smart lights are modern lighting solutions that you can control with your phone, voice commands, smart home hubs, etc. Utilizing Wi-Fi enabled microcontrollers brings the convenience of remote control, letting you adjust things like brightness, color, timers, etc all from any device. These microcontrollers responsible for running operations on these smart home appliances often lack physical protection from their debug ports.
Debug ports are often used for the initial development of embedded systems. These pins allow you to have direct access to hardware in order to get log information or make changes to the firmware and are often placed in easy to reach locations for developers to have quick and easy access to.
Manufacturers often cheap out on parts to cut costs on final production, one of the biggest security concerns with this is using microcontrollers that don't have support for things like Secure boot, modern/any encryption, physical security component, etc. These cuts make it easier for bad actors to tamper with physical hardware which can lead to firmware extraction or modification, this project is an example of this attack vector.
The orginal Hackers nightlight was started in hopes to bring awareness to the importance of using secure hardware, however sometimes manufacturers don't go through the effort to enable these security measures.
For this research project our team targeted ESP based microcontrollers for their ease of development, simple hardware and code availability, these microcontrollers have many open source wifi hacking and network monitoring firmwares available meaning it would take minimal modification to add these malicious features while keeping original lighting functionality.
Our team targeted 2 main smart lights. The Vont Color SLB02 and the Wyze WLPA19C2PK. These smart lights both featured ESP32 C3 microcontrollers, This model has support for secure boot which prevents firmware extractions and modifications without having a proper key. Both models shared a similar decoration, removing the LED shade and then the LED array revealed the main PCB board with debug ports visible and even labeled.
A few wires later we had full access to the serial interface on the chips, secure boot was not enabled on both models. This allowed us to see and modify firmware. We decided to erase all firmware from the lights and replace it with our own to respect the property of these brands. From this point we simply uploaded out modified firmware containing our malicious tools, sealed the lights back up and called it a day!
With this level of access, an attacker could easily modify the original firmware implanting a backdoor to capture information and run attacks on other devices and could possibly return the physical product for redistribution.
This project was started in hopes to bring awareness to users and manufacturers why it's important to use secure hardware and ensure physical security. For a more in depth process please follow this Github link that leads to the open source repository for this research which goes over code, flashing and abilities.
This project was started in hopes to bring awareness to users and manufacturers why it's important to use secure hardware and ensure physical security. For a more in depth process please follow this Github link that leads to the open source repository for this research which goes over code, flashing and abilities.