Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If someone gets into your house to steal your lighbulb and cut it open, you probably have bigger problems than your wifi password being stolen.

No house-breaking is necessary. I could just go and buy a super fancy smart bulb and give it to you. You don't need your old insecure smart bulb any more so you put it in the bin. I take it from your bin. Now I have access to your network.

Your tech-savvy neighbour is the threat 99.99% of people should worry about, not a nation-state funded intelligence agency.



> Your tech-savvy neighbour is the threat 99.99% of people should worry about, not a nation-state funded intelligence agency.

You have a really pessimistic view of neighbors, I must say. If my neighbor walked up to me and asked for my wifi password, I'd probably give it to them.

IMO the threat 99.99% of people should worry about are botnets, whether created by state-level actors, criminal gangs, or script kiddies. These vulnerabilities are not interesting for those purposes.


Or i could just dump a Raspberry Pi Zero W attached to a 10000 mAh power bank in your garden, and wait for it to capture a 4 way handshake. Retrieve the data from the Pi, and throw some serious cloud computing power at it while bruteforcing the password.

Granted, it's going to take longer (perhaps), but chances are you'll never notice until it is too late. Of course, most users won't notice new devices on their Wifi anyway.

People keep forgetting that Wifi is per definition insecure. It's not a point to point technology, and every single packet you send is broadcast in a wide area around you. Furthermore, all current authentication methods, WEP/WPA/WPA2 (excluding WPA3 for now, as it has yet to see wide adoption), have all been cracked in one way or another.


Why go with something in the garden? If you're an evil wifi-stealing neighbor, surely you're already within wireless range, no?


The WiFi password will be there in any case, obfuscating it is not a big hurdle, and asking a secure element in a $30 lightbulb is unreasonable in a world where many PC still ship without a TPM chip.

People sure should have a dedicated IoT network, but in the grand scheme of things, home networks are not usually that sensitive, as in no important yet unencrypted service will be exposed internally as it is typically the case in enterprise networks.


Why would I throw away a perfectly good led smart bulb just because I got another one?

That’s a pretty far fetched social engineering scheme if you ask me.


Yeah, I don't find it particularly compelling.

To me the most compelling vector is actually selling compromised smart bulbs online that phone home and do more malicious stuff. In which case, the internal security of the device is irrelevant.


This would be trivial with Amazon comingling inventory.


If my neighbor is an evil adversary and they give me a lightbulb, why wouldn’t they just have the lightbulb modified to send them an email with the wifi password when I enter it?


> buy a super fancy smart bulb and give it to you. You don't need your old insecure smart bulb any more so you put it in the bin.

I don’t see anyone throwing out a working $30 light bulb.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: