Once again, let’s spend some money on Amazon.
The WIZ lightbulb (TAOlight)
Once delivered, I put the light in its socket and I download the WIZ application.
I set the connection between my Wi-Fi and the device using an android smartphone.
Everything is fine. Work as expected. The light is operational.
The teardown
Pretty simple. Remove the cup and the LEDs PCB.
Second step: Let’s remove the two little screws and the envelope:
And now, we have full access to the electronic part:
The module is EPS-WROOM-02, pretty standard for someone which have already worked with ESP8266.
SDK, tools and documentation are available here.
So, fast an easy teardown.
The setup
Sh**ty device, sh**ty setup. Let’s solder some flying wires:
Pins 1 and 18 are connected to the supply voltage 3.3V via crocodile clips. Pins 11,12,13 are the UART connection. UART TX is also present on IO2 (not useful).
Here a relevant schematic to clarify:
Dumping the firmware
Once IO0 is grounded and voltage ON, the device starts in UART download mode:
Dumping the firmware is straightforward:
esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0 0x200000 flash_contents.bin
Connecting…
Detecting chip type… ESP8266
Chip is ESP8266EX
Features: WiFi
Uploading stub…
Running stub…
Stub running…
Changing baud rate to 460800
Changed.
2097152 (100 %)
2097152 (100 %)
Read 2097152 bytes at 0x0 in 55.1 seconds (304.3 kbit/s)…
Hard resetting via RTS pin…
Vulnerability n*1: Plaintext User Wi-Fi credentials stored in Flash Memory
Classic on ESP8266 based devices.
ESP8266 does not support flash encryption. The SDK does not provide security features to try to obfuscate at least some private user data.
The SSID and Password are stored four times (the application firmware is duplicated).
Vulnerability n*2: Firmware can be reflashed
The firmware consist on three stages. Integrity of each stage is checked by one checksum byte. No write protection, no secure boot (ESP8266 does not support this feature).
If I have time, I will upload a little POC (my fault here).
Vulnerability n*3: Wi-Fi credentials printed on UART
UART log is available by attaching the COM port to a terminal for example Coolterm (74880 8N1). As usual, this baudrate is weird due to the 26MHz Quartz used by the ESP8266.
Funny to see your SSID and your password popping the shell when you are configuring the device:
scandone
TYPE: ESPTOUCH
T|PHONE MAC: 00 ec 0a 72 f0 44
T|AP MAC : 7c ff 4d 4c 5c 8b
T|pswd: 22684319688241754824
T|ssid: KabelBox-0570
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 6
pm open phy_2,type:2 0 0
cnt
connected with KabelBox-0570, channel 6
dhcp client start…
Of course, as an attacker, I will not use that but it gives an idea about how the product was designed by developers with a strong security in mind.
Conclusion
WIZ provides the same level of security than the Tuya Light bulbs or LIFX.
Nevertheless, the new thing here is the possibility to obtain secret data and to modify the firmware without destroying the device. The device remains untouched after the manipulation. It opens the door to supply chain attacks. I encourage you to check the Disclosure below to know the WIZ status.
Reversing the firmware deeply (it is really close to the TUYA firmware) should be on my todo-list. ESP and xtensa are interesting subjects…but time is limited.
This smart light chapter is done. I have pwned enough lightbulbs.
More pwn to come…always.
Disclosure
- 03/11/2018: E-mail to WIZ support asking for contact.
- 04/11/2018: WIZ product manager send an e-mail to me.
- 04/11/2018: I describe the findings in an e-mail (no PGP key of course).
- 06/11/2018: WIZ product manager answers:“We do take security very seriously. At the same time, we have to find solutions that “fit” into what needs to remain a “cheap enough” product for a consumer. Ensuring perfect security when someone has physical access to the product, as in being able to tear it apart, is always a hard thing to do.” An other extract from the WIZ manager: “Also, we do not provide easy access to flashing GPIO, no JTAG on our PCBs, not to mention that our lamps are sealed and potted, so it would be quite hard to reflash a product and sell it back looking “new”?”
- 06/11/2018: No more action from my side. They sell sh***y devices and they know that.
- 06/02/2019: Posted.
got a batch of the new Wiz bulbs made by Philips (homedepot, $14 e/ 60M color bulb)
just wanted to say thanks for posting this info. haven’t seen much in the way of a teardown on these (esp. the new version)
would like to control the bulbs locally via curl commands but haven’t figured out how yet.
thanks for your comment.
Regards
LR
Will take Tasmota-like any esp8266
https://github.com/arendst/Tasmota/
I’ve got their downlight flashed. Still have to take the time to see if I can get the right pins and control for the (color) lights. If successful, its a good price/performance ratio vs. hue.
any progress? any idea how one might be able to control these locally without flashing new firmware?
I just bought one of the downlights, and I’m hoping to flash it.
How did you take it apart to access the ESP8266? I’m worried that I’ll break it.
PyWIZ library is available
Any chance you can post more details about this? Or even the firmware? I have one of these bulbs, and I’d rather like to stick a custom firmware on it (or at least control it without it being able to phone home).
Any idea of the AC side of the circuit? I assume it’s transformerless cap drop circuit?
Did your pwnage teach you enough that you could write a program on a PC on your LAN to control the light bulb without modifying the firmware?
That’s something I’d really like to be able to do. I’m not seeing any published API for Wiz bulbs.
My son and I were able to use pyWIZ to control them, no auth needed once on the network.
Thanks for the article, it’s great to know these have an ESP8266 and will therefore work cloud-less with ESPHome/Home Assistant.
However, I find it funny that the features you present as “vulnerabilities” are actually highly sought-after by the HA community, especially the possibility to reflash the firmware. There are sadly fewer and fewer devices with that possibility.
I mean, you are not wrong these can be deemed as vulnerabilities, but their impact is really very small. Yes, somebody could break into your house, steal one of these lightbulbs, extract your Wi-Fi password from it and then get onto your home network. But what are the odds of that happening? 😉
Then you mention a possible supply chain attack. Again, what are the odds of that happening? I mean, yes, it could happen, but if you are this paranoid, it might be best not using smart devices with firmware you haven’t flashed yourself, or even not using Wi-Fi at all 🙂
Hi, try to think out of the box.
you right, limited interest in this article
Not to mention the 100+ wiz light bulbs I have in my house are all operating on a dedicated WiFi network that only has access to my appliances. What is a hacker going to do? Access that network and make my fridge spit ice on the floor?
Nobody with extra sensitive computer network is going to grant a device like a Wiz bulb access to an important network.
I bought a s**tload of wiz lights from home depot, online.
I notice on my network one light is uploading a TON of data, like.. 80GB one day, 430GB the next day.
I do remember when I received the lights, one of them appeared to be a return. You could tell it was opened and put back in the box.
I’m experiencing a similar issue. I’ve had a spike in data and these lights are the only thing I’ve added. What will happen is the light will disconnect from the wiz app like it is uncontrollable, then when you turn the light off and back on to reset you’ve essentially given away your wifi password hash, which someone is using to access your network.
Also bought these from Home Depot.
I actually bought 3 of these bulbs based on this article quite a while ago. I’m running Home Assistant and these can be flashed with ESPHome firmware quite easily, and integrated with HA. Here’s the relevant part of the ESPHome configuration file:
esphome:
name: wiz-bulb
platform: ESP8266
board: esp_wroom_02
output:
– platform: esp8266_pwm
pin: GPIO13
frequency: 1000 Hz
id: out_cw
– platform: esp8266_pwm
pin: GPIO4
frequency: 1000 Hz
id: out_ww
light:
– platform: cwww
name: ${device_name}
cold_white: out_cw
warm_white: out_ww
cold_white_color_temperature: 6500 K
warm_white_color_temperature: 2700 K
constant_brightness: false
remote_receiver:
pin:
number: GPIO5
inverted: True
dump: all
Yes, these bulbs have an infra red remote control receiver built in! 🙂 They could be easily controlled with any IR remote.
I cannot find this pyWIZ library with a google search. Does anyone have a link for it?
I have recently taken apart a WizMote and have determined that it is using an ESP-32 to send ESP-Now signals to the bulbs. It doesn’t use the Wi-Fi. I have decoded most of the signal, enough to decode what button is being pressed and that there is an incremental sequence number each time you press a button (Presumably used to know if it’s a new button press or not as it sends the same signal probably 5 times or so each time you press the button just to make sure the bulb receives it). There is, however, some seemingly random data that gets sent as well that I haven’t been able to figure out. I tried making my own program to send the same info (with the extra data being random) and the bulbs won’t recognize it.
However, you could absolutely write your own firmware for the remotes and the bulbs and make it do whatever you want.
My thoughts were to make a firmware for the bulbs that would send the remote’s MAC address and the button pressed to some kind of server that would interpret the commands, as opposed to the bulbs themselves being controlled directly, which would then interpret it and send the command(s) to the corresponding bulb(s). The purpose of this setup? Let’s say you want a particular remote to control all lights in the house, or maybe all outside lights, but don’t want to have to be in a specific room (or outside) for those bulbs to received the signal. Perhaps you could have a remote in your vehicle (whether a hacked WizMote or a custom made one) that could have the same firmware and press a button when you pull in your driveway to turn all the necessary lights on.
I’m thinking something of a node-red setup where you could say “If the remote had this MAC address and this button is pressed, do this.”
py library https://github.com/sbidy/pywizlight
from article https://aleksandr.rogozin.us/blog/2021/8/13/hacking-philips-wiz-lights-via-command-line
so we can manage the light with local network only, programmatically. the problem if someone can enter our network and manipulate it by UDP port, there is no security 🙁
They should not be printing WiFi password on serial line. But apart from that
“We wont protect against physical tampering” is a legit security stance.
Is there any way to tell if a bulb you bought at the store has been hacked?
I recently purchased a LED light strip and tried to extract the firmware for analysis. However, both the JTAG and UART interface of controller seems disabled on my samples. I believe this is driven by author’s communication. If anyone has a extracted firmware, may I have a copy for continue my research, thanks.