Pwn the WIZ connected

Posted on by LimitedResults

Once again, let’s spend some money on Amazon.

The WIZ lightbulb (TAOlight)

WIZ Connected Wi-Fi Lighting (20 euros)

Once delivered, I put the light in its socket and I download the WIZ application.

I set the connection between my Wi-Fi and the device using an android smartphone.

Stay relax light goes on.

Everything is fine. Work as expected. The light is operational.

The teardown

Pretty simple. Remove the cup and the LEDs PCB.

No tool required.

Second step: Let’s remove the two little screws and the envelope:

First time I see this cooler solution…interesting 🙂

And now, we have full access to the electronic part:

The module is EPS-WROOM-02, pretty standard for someone which have already worked with ESP8266.

SDK, tools and documentation are available here.

ESP-WROOM-02 Pinout (Front view)

So, fast an easy teardown.

The setup

Sh**ty device, sh**ty setup. Let’s solder some flying wires:

Not my cleanest work, I have to admit

Pins 1 and 18 are connected to the supply voltage 3.3V via crocodile clips. Pins 11,12,13 are the UART connection. UART TX is also present on IO2 (not useful).

Here a relevant schematic to clarify:

ESP-WROOM-02 schematic

Dumping the firmware

Once IO0 is grounded and voltage ON, the device starts in UART download mode:

From the datasheet

Dumping the firmware is straightforward:

esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0 0x200000 flash_contents.bin
Connecting…
Detecting chip type… ESP8266
Chip is ESP8266EX
Features: WiFi
Uploading stub…
Running stub…
Stub running…
Changing baud rate to 460800
Changed.
2097152 (100 %)
2097152 (100 %)
Read 2097152 bytes at 0x0 in 55.1 seconds (304.3 kbit/s)…
Hard resetting via RTS pin…

Vulnerability n*1: Plaintext User Wi-Fi credentials stored in Flash Memory

Classic on ESP8266 based devices.

ESP8266 does not support flash encryption. The SDK does not provide security features to try to obfuscate at least some private user data.

The SSID and Password are stored four times (the application firmware is duplicated).

Vulnerability n*2: Firmware can be reflashed

The firmware consist on three stages. Integrity of each stage is checked by one checksum byte. No write protection, no secure boot (ESP8266 does not support this feature).

If I have time, I will upload a little POC (my fault here).

Vulnerability n*3: Wi-Fi credentials printed on UART

UART log is available by attaching the COM port to a terminal for example Coolterm (74880 8N1). As usual, this baudrate is weird due to the 26MHz Quartz used by the ESP8266.

Funny to see your SSID and your password popping the shell when you are configuring the device:

scandone
TYPE: ESPTOUCH
T|PHONE MAC: 00 ec 0a 72 f0 44
T|AP MAC   : 7c ff 4d 4c 5c 8b
T|pswd: 22684319688241754824
T|ssid: KabelBox-0570
scandone
state: 0 -> 2 (b0)
state: 2 -> 3 (0)
state: 3 -> 5 (10)
add 0
aid 6
pm open phy_2,type:2 0 0
cnt 
connected with KabelBox-0570, channel 6
dhcp client start…

Of course, as an attacker, I will not use that but it gives an idea about how the product was designed by developers with a strong security in mind.

Conclusion

WIZ provides the same level of security than the Tuya Light bulbs or LIFX.

Nevertheless, the new thing here is the possibility to obtain secret data and to modify the firmware without destroying the device. The device remains untouched after the manipulation. It opens the door to supply chain attacks. I encourage you to check the Disclosure below to know the WIZ status.

Reversing the firmware deeply (it is really close to the TUYA firmware) should be on my todo-list. ESP and xtensa are interesting subjects…but time is limited.

This smart light chapter is done. I have pwned enough lightbulbs.

More pwn to come…always.

Disclosure

  • 03/11/2018: E-mail to WIZ support asking for contact.
  • 04/11/2018: WIZ product manager send an e-mail to me.
  • 04/11/2018: I describe the findings in an e-mail (no PGP key of course).
  • 06/11/2018: WIZ product manager answers:“We do take security very seriously. At the same time, we have to find solutions that “fit” into what needs to remain a “cheap enough” product for a consumer. Ensuring perfect security when someone has physical access to the product, as in being able to tear it apart, is always a hard thing to do.” An other extract from the WIZ manager: “Also, we do not provide easy access to flashing GPIO, no JTAG on our PCBs, not to mention that our lamps are sealed and potted, so it would be quite hard to reflash a product and sell it back looking “new”?”
  • 06/11/2018: No more action from my side. They sell sh***y devices and they know that.
  • 06/02/2019: Posted.

21 Replies to “Pwn the WIZ connected”

  1. got a batch of the new Wiz bulbs made by Philips (homedepot, $14 e/ 60M color bulb)
    just wanted to say thanks for posting this info. haven’t seen much in the way of a teardown on these (esp. the new version)

    would like to control the bulbs locally via curl commands but haven’t figured out how yet.

    Reply

      1. any progress? any idea how one might be able to control these locally without flashing new firmware?

        Reply

      2. I just bought one of the downlights, and I’m hoping to flash it.

        How did you take it apart to access the ESP8266? I’m worried that I’ll break it.

        Reply

  2. Any chance you can post more details about this? Or even the firmware? I have one of these bulbs, and I’d rather like to stick a custom firmware on it (or at least control it without it being able to phone home).

    Reply

  4. Did your pwnage teach you enough that you could write a program on a PC on your LAN to control the light bulb without modifying the firmware?

    That’s something I’d really like to be able to do. I’m not seeing any published API for Wiz bulbs.

    Reply

  5. Thanks for the article, it’s great to know these have an ESP8266 and will therefore work cloud-less with ESPHome/Home Assistant.

    However, I find it funny that the features you present as “vulnerabilities” are actually highly sought-after by the HA community, especially the possibility to reflash the firmware. There are sadly fewer and fewer devices with that possibility.

    I mean, you are not wrong these can be deemed as vulnerabilities, but their impact is really very small. Yes, somebody could break into your house, steal one of these lightbulbs, extract your Wi-Fi password from it and then get onto your home network. But what are the odds of that happening? 😉

    Then you mention a possible supply chain attack. Again, what are the odds of that happening? I mean, yes, it could happen, but if you are this paranoid, it might be best not using smart devices with firmware you haven’t flashed yourself, or even not using Wi-Fi at all 🙂

    Reply

    3. Not to mention the 100+ wiz light bulbs I have in my house are all operating on a dedicated WiFi network that only has access to my appliances. What is a hacker going to do? Access that network and make my fridge spit ice on the floor?

      Nobody with extra sensitive computer network is going to grant a device like a Wiz bulb access to an important network.

      Reply

  6. I bought a s**tload of wiz lights from home depot, online.

    I notice on my network one light is uploading a TON of data, like.. 80GB one day, 430GB the next day.

    I do remember when I received the lights, one of them appeared to be a return. You could tell it was opened and put back in the box.

    Reply

    1. I’m experiencing a similar issue. I’ve had a spike in data and these lights are the only thing I’ve added. What will happen is the light will disconnect from the wiz app like it is uncontrollable, then when you turn the light off and back on to reset you’ve essentially given away your wifi password hash, which someone is using to access your network.

      Also bought these from Home Depot.

      Reply

  7. I actually bought 3 of these bulbs based on this article quite a while ago. I’m running Home Assistant and these can be flashed with ESPHome firmware quite easily, and integrated with HA. Here’s the relevant part of the ESPHome configuration file:

    esphome:
    name: wiz-bulb
    platform: ESP8266
    board: esp_wroom_02

    output:
    – platform: esp8266_pwm
    pin: GPIO13
    frequency: 1000 Hz
    id: out_cw

    – platform: esp8266_pwm
    pin: GPIO4
    frequency: 1000 Hz
    id: out_ww

    light:
    – platform: cwww
    name: ${device_name}
    cold_white: out_cw
    warm_white: out_ww
    cold_white_color_temperature: 6500 K
    warm_white_color_temperature: 2700 K
    constant_brightness: false

    remote_receiver:
    pin:
    number: GPIO5
    inverted: True
    dump: all

    Yes, these bulbs have an infra red remote control receiver built in! 🙂 They could be easily controlled with any IR remote.

    Reply

  8. I cannot find this pyWIZ library with a google search. Does anyone have a link for it?

    I have recently taken apart a WizMote and have determined that it is using an ESP-32 to send ESP-Now signals to the bulbs. It doesn’t use the Wi-Fi. I have decoded most of the signal, enough to decode what button is being pressed and that there is an incremental sequence number each time you press a button (Presumably used to know if it’s a new button press or not as it sends the same signal probably 5 times or so each time you press the button just to make sure the bulb receives it). There is, however, some seemingly random data that gets sent as well that I haven’t been able to figure out. I tried making my own program to send the same info (with the extra data being random) and the bulbs won’t recognize it.

    However, you could absolutely write your own firmware for the remotes and the bulbs and make it do whatever you want.

    My thoughts were to make a firmware for the bulbs that would send the remote’s MAC address and the button pressed to some kind of server that would interpret the commands, as opposed to the bulbs themselves being controlled directly, which would then interpret it and send the command(s) to the corresponding bulb(s). The purpose of this setup? Let’s say you want a particular remote to control all lights in the house, or maybe all outside lights, but don’t want to have to be in a specific room (or outside) for those bulbs to received the signal. Perhaps you could have a remote in your vehicle (whether a hacked WizMote or a custom made one) that could have the same firmware and press a button when you pull in your driveway to turn all the necessary lights on.

    I’m thinking something of a node-red setup where you could say “If the remote had this MAC address and this button is pressed, do this.”

    Reply

  9. They should not be printing WiFi password on serial line. But apart from that
    “We wont protect against physical tampering” is a legit security stance.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *