The S in IOT is for Security – Purism


Recently I was given two LED desk lamps to improve lighting for video meetings, these are just lamps with three controls, on/off, temperature, and brightness. In the misguided vein of “make it an IOT device with an app to monetize human data” mentality the temperature and brightness control aren’t just knobs on the lamp, no, they are controlled by a proprietary app that you are forced (well… unless you hack it (as I explain below)) to download to your phone or computer. You also have to agree to the terms of service to install and use the application. After installing the app you must “activate” the lamp in the app by connecting it to your WiFi and the Internet.

Full Lamp Stack

This is no longer just a lamp… it is a full computer and WiFi access point. Secondarily it requires a proprietary app to be installed on a phone or computer that cannot be audited for security. Ownership is the ultimate measurement of privacy, security, and freedom; if you don’t own the device fully, you are owned by the developer (and manufacturer) of the device. The only way to own my lamp was to pwn my lamp.

Knowing (from experience) that a device that can access the Internet can create a reverse tunnel into the local network (autossh ... -R ...) and my refusal to connect these lamps to my local WiFi and the Internet, I decided I would either a) recycle them; b) only use them in ‘lamp’ offline mode with the default values; or c) see if I can control their access point APIs without ever using (or agreeing to the terms of service of) the proprietary app.

Remember, there is just on/off, temperature, and brightness.

On/off works from both a physical switch on the lamp (right next to the reset button, since you know, it’s now a computer) as well as the app (that I only saw from the screenshots since I never installed it). Temperature controls the blue to yellow colors of the light (and the default is full blue unless you change it). Brightness is about 90% bright by default, and I would like to adjust depending on the time of day.

I thought if I can hack the lamp I could also put together an app that I own that can manage the lamp for my personal purposes. Since I have been following the incredible progress of app development for PureOS and the Librem 5 by using GNOME-Builder, writing a simple app would be a great project-based experiment to fully own/pwn my lamp.

Pwning the Lamp

Seeing that these two lamps are WiFi access points and seeing from the screen shots of the proprietary app that their general flow is to “add” the lamp from the app (which means connect to it as your WiFi Access Point) then connect the lamp to the local WiFi (which then of course gives it unfettered Internet access unless you do a lot of firewall rule guessing/setup at your router) I decided to connect to the Lamp AP and see what I could glean. The (unnamed) manufacturer did setup the APs with unique hex codes appended to their ESSIDs (“Manufacturer 4CDC”), and after connecting to the first lamp (it will take me a long while to not laugh that a lamp is an IOT device) I got the local ip 192.168.1.24 with the access point at 192.168.1.1. A browser at that address 404’d so I probed the ports and came up with a port open at 8193. A browser hitting that returned a page to connect the lamp to local WiFi. That is a no-go, so maybe there is a web API…

The Web API

A brief search returned the web API URL path that returns a JSON structure {"numberOfLights":1,"lights":[{"on":0,"brightness":28,"temperature":309}]}, so you can read the three values the lamp uses in the one-line data object. A method GET returns the values and a method PUT sets the value. I was now able to connect to the access point and PUT a JSON string to the address:port/path and control the lamps three values. Score: Lamp 0, Me 1.

A quick bash script allowed me to at least power on the lamps and set them to a predetermined temperature and brightness.

Having the ability to pwn the lamps via the web API means I do not have to give up any of my digital rights and can have complete ownership of these lamps, never giving any control the the manufacturer or app developers. Score: Lamp App 0, Me 2.

The App

Liberating the freedom crushing proprietary app and regaining control was fun. It’s not just that it’s a bad idea to connect a lamp to the Internet, it’s also that it’s a bad idea to install a random application you can’t audit on your phone.

GNOME-Builder is amazing (hi Christian). I decided to start a new project, select Python and it immediately started me into a fully-functioning (and buildable) Hello World example project.

I whipped up a quick layout in GNOME-Builder’s View Design tab and began translating bash’s nmcli and wget into Python libraries. After a bit of work learning how Flatpak manifests work to include the necessary libraries (hint: manifests are required learning to solve dependencies within a flatpak), I had a proof of concept app that allows me to connect to a lamp and adjust temperature and brightness.

An IOT Light App on PureOS for Librem 5

Securing my Lamp

Now I am able to control the lamps without their ever accessing the Internet from my Librem 5 phone as well as Librem Mini desktop, adding the much needed security to this IOT device. Fortunately because I have a Librem 5 running PureOS, it was relatively simple to replace the proprietary, insecure app with my own simple application that works both on my phone and (through convergent app development) on my desktop so I can keep the lamps in their own private compartment, disconnected from the Internet, and control it with my own trusted app.

The more Internet of Things (or as some call them Internet of Stings) makes it onto more networks and into more homes, the greater exploitation you and your digital life will suffer. This exploitation is highlighted regularly, today’s example as published by Washington Post, Massive camera hack exposes the growing reach and intimacy of American surveillance, showcases the creepiness of insecure IOT.

Securing IOT

It’s commonplace now for companies to ship devices that take control away from you. In this case I was able to take control back.

Security must be at the foundation of IOT products, if a lamp needs to be an IOT device it can at the very least be developed in a way that the user has complete control over it, doesn’t require signing a terms of service, doesn’t phone home, and doesn’t send a single bit over the network without user request. I made my lamp IOT device do just that.