I heard this week that the first vulnerability in smart light bulbs has been discovered–they can leak your wifi password.
I suppose I can take comfort in the cost of the bulbs–they cost $129, which means not a lot of people will have them, in a world where people complain about paying $5 for an LED bulb. Then again, for $129, I think it’s reasonable to expect a little bit of security. This isn’t a $15 router with a $2 profit margin. To its credit, the manufacturer immediately issued a patch to fix the vulnerability.
The problem with devices like these with security vulnerabilities is that they will be around a very long time. An LED light bulb has a life expectancy of nearly 17 years. And I think they stand a chance of making it–I own several LED bulbs of different brands, bought my first one four years ago, and aside from one bulb that died after about a week, all of them are still going.
Consider Windows XP for a minute. I can’t bring XP up without someone asking me why anyone would want to run such a rickety old operating system. But Windows XP is 13 years old–shorter than the life expectancy of one of these light bulbs. These password-leaking light bulbs are going to be around longer than Windows XP was.
Will the manufacturer still be willing to support these bulbs with patches in 16 years? Will the manufacturer stay in business that long? Or if it’s acquired, will the new company provide support?
I think I’ll stick with my Cree bulbs.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.