The CP of both systems discovers the SD by the MAC address pattern (e.g., “D0:71:23” for LIFX and “FA:8F:CA” for Chromecast) of its Wi-Fi hotspot which is assigned by their manufacturers. As a consequence, these CPs are vulnerable to connecting to a fake SD’s hotspot with a valid MAC address pattern. Furthermore, it is common that the CP in smart home systems sends the SSID and password of the home Wi-Fi over the SD’s open hotspot while configuring the system.In the LIFX system, the credentials are sent in plain text over the SD’s hotspot. Hence an attacker can obtain the access to the home Wi-Fi by receiving the credentials over a fake LIFX SD’s hotspot. Consequently, these attacks suggest that using open Wi-Fi hotspots to send Wi-Fi credentials in plain text is inadvisable for smart home systems (even for initial configurations).

In the LIFX system, the first CP which joins the open Wi-Fi, or any CP which joins the home Wi-Fi of the benign user (e.g.,a malicious app installed on the user’s mobile phone), can send control commands to the SD. Since the SD does not have an authentication mechanism to authenticate the CP, a malicious CP which joins either of these networks can control the benign SD by sending control commands (e.g., SetPowerRequest and SetColorRequest).

(Here we demonstrate the attack using the official LIFX desktop app.)

LIFX uses UDP protocol to exchange messages over Wi-Fi between the CP and the SD. These UDP packets do not include any session related data (e.g.,timestamp and nonce). Thus, these packets can be intercepted and later replayed by the network attacker who taps into the communication channel between the CP and the SD to control the SD.