Hackable Light Bulbs Show Why the IoT Is Flawed

We must have the internet of things! And the internet of everything! And the internet of silly things (as Tony Poulos likes to put it) and the internet of… you get the idea. Or maybe not, because the word ‘thing’ is about as helpful as the word ‘cloud’. It gives people the impression they know what they are talking about, when really they do not know what they are talking about. A thing could be anything, so when people talk about the benefits of the IoT, or security for the IoT, they might as well be talking about the benefits of anything, or the security of anything. The lack of specificity means that instead of talking about everything you end up talking about nothing in particular.

The major security concern with the internet of things is that the trust involved in networking lots of devices to each other means that each of those devices becomes susceptible to attacks made possible by vulnerabilities in any other device they are connected to. That message was repeated during the many conversations I had at this year’s Wearable Tech Show and it is also repeated by every security expert worthy of that description. However, for some people to understand it will take a real example to illustrate just how serious the risk is. So thank go to Osram, manufacturers of light bulbs. They have made a specific thing that will illuminate our wooly abstract debates by being a blindingly good example of how IoT products can be both silly and grossly insecure at the same time.

I do not know about you, but I generally only use electric light when I am within visual range of the light source. Hence I find manual switches to be an effective way of interacting with my bulbs. Osram think differently. They think we need bulbs we can interact with from the other side of the planet, using the internet. They call them Lightify bulbs. (What a brilliant name; how much did that marketing genius get paid?) Some people might agree with Osram, and think they also need to remotely connect to their bulbs. But those people possess a different risk-reward equation to the one inside my head. I am confident that the benefits of using an internet-enabled light bulb will be very very small, whilst I know I would suffer a lot if somebody decided to ruin my life by hacking my house or hacking my personal data or hacking who-knows-what-thing-will-be-hackable-next. (After all, I sometimes make fun of businesses with connections to the security industry, so I have to consider the risk of reprisals.)

To reiterate: maximum upside of internet light bulb = tiny, maximum downside of internet light bulb being hacked = quite large. Hence my conclusion is that I will not benefit by buying internet light bulbs.

An advisory from security firm Rapid7 explained that the Lightify internet bulbs suffer several serious vulnerabilities, including the unencrypted storage of wireless network passwords and a susceptibility to code injection. Osram will patch most of the issues in the next update, but their existence reveals a lax attitude to security in the first place. Who wants their home network compromised because the manufacturers of their light bulb were so cheap and lazy that nobody on their payroll thought to write code to encrypt an important password?

Given that businesses keep making increasingly extravagant promises for how the IoT will improve our lives, the risks that flow from security weaknesses are bound to spiral upwards. But instead of weighing the risks against the benefits, a firm like Osram wants to market a more expensive bulb they developed whilst cutting security corners, then leave the customers to deal with the consequences if their life is ruined.

People keep talking about the need for security in the internet of things. The problem is that talk is cheap and security costs a lot more. If companies like Osram continue to skimp on security we will soon have a new name for the IoT. I fear we might be developing the internet of really bad ideas.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.