The flaw is found in the application that is utilized in the bulbs. While dissecting the system traffic of the application, it was discovered that just a couple of solicitations were sent encoded over HTTPS and that the rest of the data was sent via plain text. “The first thing we noticed while analyzing the network traffic was that the smartphone application was mostly using plain HTTP requests to interact with the backend in the cloud. Only a few requests, for example to register a new user or to log in, were sent encrypted over HTTPS,” said researchers. If accessed, a huge amount of data could be compromised when it reaches the cloud. If the attackers get access to the user’s account, they could be able to brute force the MAC address. “The API on the back end allows a user to find the user account that is associated with a specific light bulb by sending the MAC address of that device. There is no verification to determine whether the user account used to query a device is actually associated with that device. Therefore, an attacker only needs an active session that has already been authenticated and can then guess or brute force the MAC address of a target device,” furthering comments made by researchers.
When using smart devices, it is always suggested to pay attention to the information that is being put out. Users should never give privileges that they are unware of.