Blog: Internet Of Things

Christmas lights. Festive security issues?

Ken Munro 05 Jan 2017

When you’re taking your Christmas decorations and lights down today you might be thinking about whether you’ll upgrade next year to one of the various brands of ‘smart’ festive lights with smartphone integration.

This year we aren’t overwhelmed with choices in the UK (though even ASDA is selling them now) so we imported some from the US to see what their security was like.

Overall, there isn’t much of an actual threat to our security, but the security of the lights themselves is a bit of a joke. Worst case I can currently see is that a rogue neighbour or passer-by turns them off or makes them flash differently.

That said, we think there may be a route to force some sets of lights to flash at frequencies that could cause issues for people who experience photo-sensitive epilepsy.

I haven’t yet found a set of lights that act as a client on a wireless network, or communicate over Bluetooth with a home network hub, so none of these devices would compromise your home security.

Premier Decorations “SmartBrights”

These are one of the very few Wi-Fi lights I could find.

The lights act as an access point. The SSID is PREMIERDEC and PSK is 88888888, (oh, how very Mirai!) helpfully marked up on the control box that you no doubt leave hanging up outside your house

In theory it’s possible to change both, but the app is really painful to use. The Android app also has read/write/delete permissions for USB storage?? I suspect that most users will leave the SSID/PSK default. http://wigle.net seems to confirm this:

Why they’re left in AP mode, I don’t know. This makes the user experience awkward – disconnect from home Wi-Fi, reconnect to Christmas lights, change their flashing mode.

This also exposes the control module to a LOT of traffic as all of your apps will see it as a gateway and hammer it. We had a similar problem with the Mitsubishi Outlander.

What a waste of time. IoT vendors clearly know how to exploit the geek in us all!

Zaplites

These are Bluetooth controlled rather than Wi-Fi. Guess what… there’s no pairing security.

So, a rogue hacker in your neighbourhood could control your Xmas lights. Not much of a security issue there, I suppose.

George (ASDA) Home lights

Even more Bluetooth controlled lights and just as little security:

Scan for lights, no pairing security:

Oh dear. Not-so-well done ASDA.

It doesn’t really affect your home security much though, as the lights don’t connect to your home network

That said, looking at the API that the SmartBrights use, there’s a lot of functionality that looks interesting. We’ve already found that we can control the frequency of flashing, including to frequencies that are not offered in the front end app.

We’re trying to push it in to the ranges commonly associated with photo-sensitive epilepsy, particularly 3Hz or so. If we do, then I think this becomes a rather more concerning problem.

I guess that the next evolution of smart Christmas lights will be integration in to wider smart home systems. That will likely include a hub and then on to a gateway. That’s when things will get interesting  – raising potential to hack the home network via Christmas lights.

If anyone has seen a set that offer this functionality, please let me know via @TheKenMunroShow.