 Hi everyone again, so we're ready for the next talk, which is Matthew Garrett, who's going to be speaking to us about everything you want to know about smart light bulbs. So thank you, Matthew. It's a real pleasure to be here. I haven't been to EMF camp before, but I'm enjoying it a great deal so far. My name is Matthew Garrett. I work on various bits of computer security stuff, but I'm going to be talking to you about light bulbs, which are largely a hobby I have, which sounds a little bit strange. I have a lot of time taking smart light bulbs and other IoT type devices, reverse engineering them, trying to figure out whether there's any sort of terrifying security issue with them, discovering largely that there is, and then gin. My slides are of very poor quality. I'm going to try to make up for that with quantity, so I'll be moving quite quickly. In the past, there was a time when dinosaurs were in the earth and there were very few light bulbs, so we're going to ignore that. In the 18th century, people start doing interesting things with electricity, and at some point during this time, people notice, oh, if you heat something, it glows, and if you pass electricity through something, it can heat up. And then, well, gosh, if we pass enough electricity through this large lump of platinum, then it produces light, which is great. This approach was not involved in too much detail, because being around very hot lumps of platinum that are gradually evaporating into the air is not wonderful for your health. In the 19th century, we get to the point where what we would recognize today as the light bulb is invented by a lot of people simultaneously. A lot of people build light bulbs. A lot of people try to improve light bulbs, and we go through various stages. Obviously, Edison's approach ends up arguably winning because of him building an entire network of components that allow you to basically build your own from scratch city lighting system. Around this time, we're still using carbon filaments. The problem with carbon filaments is that they don't last that long. The carbon that boils off sticks to the inside of the bulb, and your bulbs get progressively darker until they stop working entirely. So we move on to having tungsten filaments instead. And this is much better. This is what modern incandescent bulbs still largely are based on. You have a filament that does gradually still evaporate and cover the bulb. You get some reduction in light output over the lifetime. But overall, the idea is you put 40 or more watts through some tungsten inside a bulb, and then light comes out. People attempting to fix the lifetime issue of as the filament evaporates, it gets weaker, and then eventually it snaps. Realize that if you fill the bulb with halogen, then as the tungsten evaporates, it relaxes with the halogen and then eventually gets redeposited back onto the filament. So you have this nice closed cycle where the bulb doesn't deposit its filament over the interior of the bulb. Downside of this is that you need to run the halogen bulbs a couple of hundred degrees hotter than non-halogen bulbs, so they consume even more power. So the basic problem we have at the moment is all of these home lighting systems take a lot of power, and they're also emitting a lot of infrared, which is not what we generally want bulbs for. 90s and early 2000s, we start going into the world of compact fluorescent lighting, which is kind of terrible because they look ugly and they take time to warm up. Thankfully, oh, and they contain a whole bunch of horrible toxic shit. Then we move on to LEDs, which is where things start getting interesting, and now that we have LEDs, you also need for an LED bulb to work a moderate quantity of electronics on the board. And once you're already starting to put electronics into your light bulb, you may as well make those electronics do more interesting things as well. And this is around when we start thinking about smart lighting really becoming a thing, although it's not actually directly linked to LED bulbs. How many of you remember those really annoying adverts for X10 home automation stuff that was all over the internet for a while? OK, some of you, good. I'm not a horrible dream. X10 has the magical ability to multiplex various control signals over the power lines so that you could use it to control systems remotely. And OK, and then you could connect it to the end stairs and then you could control your lights by using the end stairs. This was magical. More recently, we also have smart switches, which you replace the switch in your wall with something that speaks a network protocol, and then that controls the lighting. We're not going to be talking about any of that stuff because smart switches are not smart light bulbs. They're much less interesting. Smart light bulbs speak to a network themselves. And what that network is varies massively. There's a lot of competition in this space. There's a lot of innovations really not the right word, but there's a lot of people trying new things. I think innovation implies that you maybe build something better rather than merely different. Not so much here. So there's a variety of protocols. There's Z-Wave, which is a mesh networking protocol in the 2.4 gigahertz or so range, and which allows a variety of different devices to form a mesh network inside your home. Advantage of having a mesh network is that you don't need to have your internet stuff. You don't need Wi-Fi, for instance, to reach your entire home. As long as each bulb is sufficiently close to another bulb, then you're able to get your signal through the mesh all the way to the device that you actually want to be talking to. Z-Wave is a mesh networking protocol that supports a variety of devices. It's fundamentally, to the end user, the difference between Z-Wave and Z-Wave is basically uninteresting. They're completely different protocols, but they work in roughly the same frequency ranges, and they have roughly the same end effect. Z-Wave is what's used by stuff like the Philips Hue platform and a variety of other lighting platforms. Z-Wave is more in the sort of enthusiast space, I'd say at the moment, compared to ZigBee, which is a lot of people who know what Z-Wave and ZigBee are prefer Z-Wave for reasons I'm not entirely clear on. People who don't know the difference generally end up with ZigBee because that's what things you buy in boxes that don't have the word ZigBee on use. Obviously, because people have Wi-Fi networks and people don't always have ZigBee networks, ZigBee does require, like Z-Wave, requires a bridge between your traditional IP network and this completely different protocol. Most computers do not have ZigBee or Z-Wave radios built into them. Using Wi-Fi instead means you don't need that additional hardware. Downside is with Wi-Fi, you don't have the benefits of mesh networking. Everything needs to be in range, and the devices needs to be a little more complex because they need a full Wi-Fi chipset, which is a harder protocol to implement than ZigBee and Z-Wave are. And finally, of course, well, I say finally, we also have Bluetooth, mostly Bluetooth low energy. This is convenient because your phones speak it. It's relatively low power. It's a bit above ZigBee and Co, but it's less than Wi-Fi. You can build Bluetooth low energy bulbs for a slightly lower price point than a Wi-Fi bulb. And again, you don't need any sort of hub. Downside, Bluetooth LE can only have a single control device connected to any device you're trying to control at once. So you can't easily have multiple people in the home simultaneously changing your bulb status. And of course, there are bulbs that use something entirely custom. There's a whole bunch of stuff that's generally referred to as, I think, limitless LED, which uses some custom, weird 2.4 gigahertz thing. But it's someone reverse-engineered it. And there's a web page about it. But in itself, not particularly interesting. But why would you want to use a smart bulb in the first place? Why do we want to make these things that are supposed to just help us function in our homes when it's dark? Intelligent. So one thing, they're dimmable. Dimming LED bulbs otherwise is possible. But traditional dimmers generally don't work well with LED bulbs. You need to make sure that your LED bulb is compatible with your dimmer. There's a variety of newer, intelligent dimming switches that do a much better job of this. But again, you then need to make sure that your bulbs are compatible with that. Alternatively, you can just buy bulbs that are capable of dimming themselves, and that problem goes away. You can have color-changing bulbs, which is wonderful for parties, I guess, I don't know. Never really use this much. But there is the more useful aspect of color-changing, sort of subset of being able to change the color temperature. You can have a bulb that, at various points in the day, has a different color temperature output. So as it gets towards night, you can change to a redder, less blue glow. You can wake up with a sort of more blue glow that's encouraged you to be active. You can go to sleep when everything's redshifted instead. You can react to external events like just ambient light can be used to control the brightness of your bulbs. So instead of just turning your bulbs on when it starts getting dark, you can gradually have them ramp up and only produce as much light as is necessary for you to be able to see the things you want to see. So you can reduce your power consumption to an extent. And also, based on time of day, you can have different outputs. If you want, you can also do things like, oh, this stock price influences the color of this light bulb for when you want to really be unhappy about the state of the world. You can control smart bulbs from your phone, typically, which is great when you go out and realize that you forgot to turn the lights on, or alternatively when you're coming back and want to be able to turn your lights on before you get home. You can control by shouting at some sort of voice control device, which means that if you wake up and discover that you've fallen asleep sitting up right in all the lights are still on, you can just sort of mumble incoherently and the lights will turn off, which fixes at least one of these problems. You can compensate for annoying lighting setups, like the one I have where every room in my flat has a light switch that controls one socket at the far end of the room. And I suppose to plug a lamp into that socket, and there's no way there's a single lamp in that corner of the room is enough to light the room. So basically, the light switch allows me to bootstrap enough light for me to be able to find the other lights and turn them on. And then do that in reverse, which means that my lights get turned off while I'm standing next to the front door, which is not where I sleep. Anyway, so smart bulbs allow you to avoid various very, very first world problems. If you take a smart bulb and you pull it apart, like I'm sure many of you have either done or would like to do, you find, first of all, a plastic diffuser, the outer surface of the bulb. And this is necessary because LEDs are not particularly broad direction. You want something that is able to hide the fact that you have a small number of point sources inside the bulb and spread that light out more widely. You have the LEDs themselves, obviously. I'm going to go into that a little more. You have a heat sink, because while LEDs are low power, compared to incandescent ones, they're also not broadcasting a lot of their waste heat in the infrared spectrum. They get hot, and you need to conduct that heat away, rather than it being radiated away. You have a radio, obviously. You need some sort of communications methods. You have a controller. The controller is sometimes integrated with the radio. The controller is what is able to take the commands, interpret them, and then do something useful with them as a result. You have a driver, because you need something that is able to take 110 to 230 volts AC and turn that into what the bulbs actually run at, and it also needs to be able to control the brightness of them. Controlling the brightness of LEDs, you have two real options. You can just drop the current, but then you run into weirdnesses about LEDs are most efficient as a particular power draw. So, alternatively, you can do pulse width modulation. Basically, you turn the LEDs on and off very quickly, and then some people get very, very angry at you, because they can see the flickering. Some of these bulbs, so the driver's responsible for handling that natural aspect of things, some of these bulbs also contain a speaker. The speaker is normally an entirely separate Bluetooth audio device that's not integrated with any of the rest of the bulb's functionality in any way. So, the bulbs that you sometimes see that say they have a built-in speaker and they will change color in response to the music, your phone is playing the music to the speaker, and then your phone is also analyzing the music and is independently sending commands telling the bulb to change color, obviously. But going back to the LEDs, some bulbs are sitting there with red LEDs, green LEDs, and blue LEDs. Sometimes they're actually red, yellow, and blue rather than red, green, and blue, I guess that's an old. Some of them have red, green, blue, and also white. So, the initial question is, you've got red, green, and blue, and we all know that red, green, and blue is enough to make white. Why do you want to also have white LEDs? And the answer is that white light's actually quite difficult. If you want to be able to have your red, green, and blue LEDs produce white lights that feels natural, they need to be very well balanced in terms of their output. And the problem is that LEDs from different batches are not particularly consistent in their response curve in terms of emitted light versus power put into them. So unless you're calibrating your bulbs with every batch, different bulbs will be different shades of white. And some of them will not be terribly convincingly white at all. If you just turn the red, green, and blue on, you'll get something that is either sort of sickly red or sickly blue or sickly green. So if you don't want to spend that additional money, easiest way of doing that is to have additional white LEDs. White LEDs are also bright, which means that your bulb's lumen statement via how good is this bulb in terms of its power consumption sounds a lot better if you're able to say, yep, this is an eight-watt bulb that is 600 lumens. And then you discover that that's only true for the white LEDs. If you try using the color LEDs, they're nowhere near that bright. And then you also discover that if you try to drive the color LEDs and the white LEDs simultaneously, you're now outside your thermal budget and your bulb catches fire. So a lot of these cheaper bulbs will have high sticker values for their brightness, but that is only true if they're in white mode. And then you're not able to do any sort of temperature shifting in terms of the color output because you can't turn the RGB LEDs on at the same time as the white LEDs. So in some cases, the more you pay in this space, you do actually get better bulbs as a result. I, a friend had some Philips use and I was very impressed and I thought, oh, this is clearly the future. And also this is far more money than I want to spend. I have at this point now spent significantly more than the cost of any number of Philips use buying a large number of very cheap light bulbs. And racing Python libraries for communicating with those bulbs, which has involved reverse engineering the protocols. So quick, just side note, I'm going to use the word androids in the moment, which is going to mean that I'm obliged to tell you that I do actually work for Google but not on androids and also this is not any sort of sales presentation. And also I am not representing my employers. This is the only use of the word androids. If you have an Android phone, if you go into the developer options, then there's an option for HCI debugging. And if you turn that on, all the Bluetooth traffic your phone produces gets dropped into a file on the slash SD card partition. You're then able to just copy that off your phone and then you have the full Bluetooth log of the communications and you can analyze that and you can see what the app on your phone is doing with the bulb and you can analyze that. And in some cases you end up discovering, oh it basically sends four bytes, one for red, one for green, one for blue and one for white. And then that's it. And if you then want to implement that, you just do some code that sends the same things, everything's great. Bulbs that are doing wifi, you can use TCP dump. For that you need a rooted device. Just throw those dumps into Wireshark, stare at them for a while, start swearing, consume gin. And eventually you end up with a library that allows you to communicate with these bulbs without needing to use the vendors code in any way. And that way you can then integrate it with your own control system. In the process of doing this you may discover some strange things. For instance there's a variety of bulbs that are all produced by the same company but which are rebrand, well sorry, the control electronics are produced by the same company but a large number of companies rebrand and resell them. Where the initial network setup is done by sending them AT commands. One of the AT commands you send is to configure the cloud service that you can use to control the bulb when you're outside your home. Which in terms of whether that's authenticated or not is entirely up to whoever's running that service. Some of them not really authenticated such that you're able to just contact the cloud service, brute force your way through every possible bulb ID. Find out which ones respond to commands and then just turn them on and off. I should make it clear that I have not done this. But in most cases the vendor has probably done better than that and you're probably okay, everything is probably fine. It's not always fine. The first set of bulbs I bought and actually absolutely the worst I've ever bought was something called the iSuper iRainbow001. You can tell it's great because it's got two i's and also they haven't made any of them before, this is their first attempt. So it came with a hub and you plug the hub into your network and there's a button for physical presence authentication and the idea of this is to allow you to ensure that anyone who is going to be able to control the bulbs was at some point in physical proximity to the bulbs inside the house. You press the button, your phone pairs with the exchange's credentials with the hub and from then on you're able to control the hub. The button does nothing. If you send the high I would like to communicate with you command to the broadcast address it says yes. Regardless of whether or not the button is being pressed. There were no credentials for the cloud communication. You could contact the cloud service and then control anyone else's devices without knowing anything about them. But my absolutely favorite part is that it was the hub was running a hidden Wi-Fi network with a DHCP server. So if you knew that someone had one of these you just needed to walk up and try to connect to the iRainbow network and you'd then be authenticated and connected to this device which was running a Telnet demon admin slash admin. So this was great. You could bring it home, plug it in and then anybody nearby was able to access your entire home network by just bouncing through this insecure device. So one of the amazing extra fun things was that I did work out the Pro's Cloud for sending commands and one of the commands just caused the bulb to start flickering at somewhere a little worryingly close to eight hertz. That was not really good. Compared to that we have the Philips Hue. I do not have any business relationship with Philips. It has a button that does something. You press the button and then you're able to authenticate against the device. You don't press the button, you don't. Every device has a unique cryptographic ID. You're not it authenticates itself to the Philips cloud service. So you can't even build something that pretends to be someone else's Hue hub. Each Hue hub has a unique cryptographic ID and amazingly this cryptographic ID gets regenerated whenever you a factory reset. So if you do a factory reset all existing credentials are gone forever. There's no way for you to do anything with the fact that you previously knew the credentials. Someone else gets this device, does a reset, gone. So the other nice thing about the Hue was that, as I mentioned, they solved the RGBW problem by initially using red, yellow and blue LEDs which meant that they could get really nice whites and they were very good at calibrating the LEDs so they were actually white. The downside was you couldn't really do green because there was no green. But the more recent ones are as good at doing whites and are also able to do green. So that's nice. So basically compared to the iRainbow, the Hue is just wonderful. If it were a dog, it would be a good dog as all dogs are. Unfortunately, I'm not gonna talk about some security work that I did not do. People far smarter than me did this. The bulbs turned out to be vulnerable to side channel attacks by measuring very accurately the power consumption of the bulb, you could infer what the CPU on the bulb was doing, which meant that researchers were able to extract the AES key that was used to decrypt and verify firmware updates. Now the obvious problem here is that AES is a symmetric encryption algorithm. The same key is used for encryption and decryption. Don't do this. Use RSA or something which has a public private splits. That's why the only thing someone can extract from the bulb is the public key and there's a hint in the name. You're not gaining anything by doing that. Now, the reason they do AES is that RSA is more computationally expensive and it's a case of, okay, we don't want to push RSA onto a device that doesn't have much computational ability. Same researchers also discovered how to take over bulbs. Now being able to produce modified firmware, well, having the firmware encryption keys not too much of a problem because the download path for the firmware is still protected by SSL and the bulbs will not accept firmware updates unless you're on the same ZigBee network as those bulbs are. And it's not possible to join the same ZigBee network as the bulbs without physical presence. Reauthenticating requires close physical locality. The bulbs will look at a request to join a network and will check that the signal is sufficiently strong that you must be very close to the bulb and will use that as a way of saying, okay, no, I'm not going to join this network because you're too far away. Unfortunately, the command to trigger a factory reset of the bulbs did not require any physical proximity. And once you do a factory reset of the bulbs, they will join the first network that asks them to join. So researchers were able to demonstrate that they could send a factory reset command to a bulb, get the bulb to join their network and then flash their firmware onto the bulb. So they did that. And they did that with firmware that was capable of finding any other nearby bulbs and doing the same thing to them. And because why not, you're going this far, you're already going to publish a paper that's going to suggest that we're one light bulb away from the entire internet infrastructure being taken down. They did this flying a drone outside an office window. Anyway, that was very neat. So the other fun thing about these bulbs is in terms of how you do initial setup. For a ZigBee and Z-Way devices, that's handled by the protocol. There's nothing particularly exciting about it. It's not particularly easy to attack unless you're standing up your own ZigBee network and then you're back to the previous effects. Bluetooth, it's just a nice, the device is discoverable. You connect to it. You potentially have some sort of initial authentication setup such that you're now the only device that can talk to the bulb and you need to do a factory reset to bite any other because there's now a shared secret between you and the bulb. Wi-Fi, you need some way of telling it how to get onto your network. The standard way of doing this is that the bulb comes up running an access point. You connect to that access point and then you send it information about your network. This is a kind of the usual way these things happen. Alternatively, you can have the bulb just scan through frequency ranges looking for... When you're running an encrypted Wi-Fi network, you can still see packet length. So how about if you just encode the network credentials by sending packets of different lengths, blast those onto the network in multicast and then the bulb just scans through the Wi-Fi ranges looking for a network that's doing this and then scrapes the credentials out that way. So that's the thing. So obviously a lot of these bulbs are running terrible firmware that's insecure, that's trying to phone home to places you would rather your bulb wasn't phoning home to and then you're really hoping that nobody else is phoning home to your bulbs. Is there a better way other than buying the very expensive bulbs? And the answer is that many of the cheap bulbs are based on the expressive 8266. Of course, there's a bunch of serial port headers on them. Of course, you can solder wires onto that or build a Pogo pin board and then reflash them with free software firmware, which you can get from these locations. And these bulbs then running this firmware expose all the control for the bulb over standard interfaces. You can use MQTT, which is a home automation framework. Obviously, if you do this, take care not to actually run your bulbs in a way that results in them becoming too hot and catching fire, because if you do, it's your fault, not mine, not the people who wrote that firmware. That is everything I'm going to tell you about bulbs unless you have questions about bulbs. Do we have the... Like this? Did you play around with any ones of the light bulbs that are on 433 megahertz? I'm sorry, any of the light bulbs that are on 433 megahertz. No, I did not look at anything that was in the sort of custom range there. Sorry. Okay, thanks. Thank you. Did you ever find anything that was actively malicious? Like it wasn't merely polioauthenticated and running Telnet, it was deliberately doing this. Thankfully, I have not found any light bulbs that are actively malicious. Any more questions? I think someone's back. Someone say yes. Where are we? Where? I can't see. Can someone else who can see you through the bulb? Okay, in that case, oh, sorry, you had the bulb. Okay, in that case, thank you.