Security researchers from MWR InfoSecurity have discovered some flaws in the Twinkly IoT lights that could be exploited to display custom lighting effects and to remotely turn off their Christmas brilliance.
The experts were able to control the lights to play Snake, the popular game developed by Nokia in
Twinkly smart decoration could be controlled via a mobile app, the experts focused their tests on the communication. The app connects the decoration via unencrypted communication over the local network allowing an attacker to carry out man-in-the-middle attack.
The mobile app uses a UDP broadcast to port 5555 to discover the LEDs, in turn, it receives the IP address and the name of the device.
“All communications from the application to the lights is done through RESTful HTTP API endpoints on the lights on port 80. The communications are not encrypted,
“As the communications are not encrypted, it is simple to Man-in-the-Middle the traffic and
Once the mobile app has discovered the IP address of the lights, it authenticates with them, receives an authentication token and retrieves information about the device. Experts found a flaw in the authentication process, it only authenticates the lights to the app and not visa-
“First, the application makes a POST request to the endpoint ‘/xled/v1/login’ with a base64 encoded
“The phone application sets the authentication token as
Experts found hardcoded credentials in the firmware that are used to connect to a private broker through the Message Queuing Telemetry Transport (MQTT) protocol for exchanging messages with remote IoT boards and sensors.
The MQTT protocol a publish-subscribe messaging protocol in which device/nodes connect to a central broker. Devices can subscribe or publish messages to message queues (‘topics’) which other devices can also subscribe or publish to.
Each Twinkly lights have 3 topics they subscribe/publish to:
“When the lights first turn on they publish their connection state, the SSID they are connected to, and their internal IP to the topic ‘/
“An interesting feature of MQTT allows you to subscribe to topics using
Experts monitored the root for unique mac addresses and discovered at least 20,000 devices exposed online.
The experts pointed out that any node can publish to any topic, allowing anyone to issue commands to any set of lights. The experts were able to remotely control the lights in the office.
The experts demonstrated the remote management of the Twinkly lights carrying out the DNS rebinding attack technique.
A DNS rebinding attack allows any website to create a DNS name that they are authorized to communicate with, and then make it resolve to localhost.
This attack technique could be exploited to target a vulnerable machine and exploit vulnerabilities in applications running on the localhost interface or exposing local services.
The attacker only needs to trick victims into visiting a malicious page or view a malicious ad to launch the attack.
MWR Labs created a malicious webpage that once visited by the victims will allow the enumeration of all the devices on the local network. If Twinkly lights are present in the network they will be instructed to display the message ‘Hack the Planet!’
(SecurityAffairs – SDUSD , data breach)