Ultimately, it’s just a light bulb. If it gets breached for whatever reason then it’ll a minor annoyance with someone blinking lights until you flip the physical switch off….unless you have a light-sensitive condition I guess.
Unfortunately, no. Ultimately it’s a tiny computer that happens to produce light when a certain gpio pin is enabled. The light bulb is the portion you see, but inside, it’s an internet-connected microcontroller. I’ve even seen smart devices that internally run a full Linux distro complete with a shell session you can access if you know what you’re doing.
The problem is that some of these firmwares and/or exploits for these firmwares actively scan your local network and report things. Further, they can be used as a jumping off point for attacks deeper in your network.
At some point you have to define which threat vectors you’re willing to accept. Yes, in theory you’re correct. A device could ship with exploits for wifi targeting most access points or Bluetooth cards I guess.
So this device hops on my network, downloads a payload to break into my computer and finds…. PDFs of my tax returns, where most of the important data is already exposed and associated with my name? Worst case, tries to log into my bank accounts but is stopped by 2FA requiring a hardware token?
The bigger threat is the device wanting on my wifi or wired network, not some Zigbee bulb that has to conceal a wifi radio.
I’d be far more worried about a personal computer getting compromised before believing a Philips (or other mainstream hub) was popped.
Is it possible? Absolutely. We don’t know how secure these place’s software supply chain is.
I’m confident keeping it at “it’s just a lightbulb”, at least Zigbee bulbs, because the attack vector for this would take so much effort for it to be effective.
Sure, if you’re in a high-risk category, like if you live in an authoritarian state and you’re the popular candidate espousing democracy, I’d completely agree and say trash all of your wireless devices.
Ultimately, it’s just a light bulb. If it gets breached for whatever reason then it’ll a minor annoyance with someone blinking lights until you flip the physical switch off….unless you have a light-sensitive condition I guess.
Unfortunately, no. Ultimately it’s a tiny computer that happens to produce light when a certain gpio pin is enabled. The light bulb is the portion you see, but inside, it’s an internet-connected microcontroller. I’ve even seen smart devices that internally run a full Linux distro complete with a shell session you can access if you know what you’re doing.
The problem is that some of these firmwares and/or exploits for these firmwares actively scan your local network and report things. Further, they can be used as a jumping off point for attacks deeper in your network.
At some point you have to define which threat vectors you’re willing to accept. Yes, in theory you’re correct. A device could ship with exploits for wifi targeting most access points or Bluetooth cards I guess.
So this device hops on my network, downloads a payload to break into my computer and finds…. PDFs of my tax returns, where most of the important data is already exposed and associated with my name? Worst case, tries to log into my bank accounts but is stopped by 2FA requiring a hardware token?
The bigger threat is the device wanting on my wifi or wired network, not some Zigbee bulb that has to conceal a wifi radio.
And what about the zigbee hub, assuming you didn’t know enough to use homeassistant or some such?
Or a wifi bulb?
Point is, consumer smart electronics don’t have the same attention to security paid to them.
Fwiw, I’m not anti-smart device. I run HA and have all kinds of smart crap, so clearly I accept at least part of the risk.
But saying “it’s just a light bulb” is disingenuous as best.
I’d be far more worried about a personal computer getting compromised before believing a Philips (or other mainstream hub) was popped.
Is it possible? Absolutely. We don’t know how secure these place’s software supply chain is.
I’m confident keeping it at “it’s just a lightbulb”, at least Zigbee bulbs, because the attack vector for this would take so much effort for it to be effective.
Sure, if you’re in a high-risk category, like if you live in an authoritarian state and you’re the popular candidate espousing democracy, I’d completely agree and say trash all of your wireless devices.
The LIFX bulbs announced your WiFi password to anyone who asked. This is not a breach of the bulb itself, it’s a gateway to your LAN.
Hue bulbs use Zigbee, not wifi.
I don’t want to be annoyed
It opens up another vector for attacking other sensitive devices on my network. I haven’t segregated my network so I don’t feel safe doing this.