| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.2 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in LIFX Light Bulb. This affects an unknown function of the component Mesh Network Handler. The manipulation results in missing encryption. No exploit is available. This vulnerability is historically impactful due to its background and the reception it garnered. You should upgrade the affected component.
Details
A vulnerability was found in LIFX Light Bulb (affected version not known). It has been classified as problematic. Affected is some unknown functionality of the component Mesh Network Handler. The manipulation with an unknown input leads to a missing encryption vulnerability. CWE is classifying the issue as CWE-311. The product does not encrypt sensitive or critical information before storage or transmission. This is going to have an impact on confidentiality, and integrity.
The weakness was published 07/04/2014 as Hacking into Internet Connected Light Bulbs as not defined blog post (Website). The advisory is shared for download at contextis.com. The public release happened without coordination with the vendor. The blog post contains:
In the event of the master bulb being turned off or disconnected from the network, one of the remaining bulbs elects to take its position as the master and connects to the WiFi network ready to relay commands to any further remaining bulbs.The attack can only be initiated within the local network. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 04/11/2019). The MITRE ATT&CK project declares the attack technique as T1600. This vulnerability has a historic impact due to its background and reception. The advisory points out:
As can be observed in the packet capture above, the WiFi details, including credentials, were transferred as an encrypted binary blob. Further analysis of the on-boarding process identified that we could inject packets into the mesh network to request the WiFi details without the master bulb first beaconing for new bulbs.
Upgrading eliminates this vulnerability. The upgrade is hosted for download at updates.lifx.co.
Further details are available at arstechnica.com. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Vendor
Name
CPE 2.3
CPE 2.2
Screenshot
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.4VulDB Meta Temp Score: 5.2
VulDB Base Score: 5.4
VulDB Temp Score: 5.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Missing encryptionCWE: CWE-311 / CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: updates.lifx.co
Timeline
07/04/2014 🔍07/09/2014 🔍
04/11/2019 🔍
Sources
Advisory: Hacking into Internet Connected Light BulbsStatus: Not defined
GCVE (VulDB): GCVE-100-67020
Misc.: 🔍
Entry
Created: 07/09/2014 11:18Updated: 04/11/2019 06:56
Changes: 07/09/2014 11:18 (45), 04/11/2019 06:56 (1)
Complete: 🔍
Cache ID: 216:5B6:103
No comments yet. Languages: en.
Please log in to comment.