Hacking the Twinkly IoT Christmas lights

Pierluigi Paganini December 24, 2018

Security researchers discovered some flaws in the Twinkly IoT lights that could be exploited display custom lighting effects and to remotely turn off them.

Security researchers from MWR InfoSecurity have discovered some flaws in the Twinkly IoT lights that could be exploited to display custom lighting effects and to remotely turn off their Christmas brilliance.

The experts were able to control the lights to play Snake, the popular game developed by Nokia in 1990s.

Twinkly smart decoration could be controlled via a mobile app, the experts focused their tests on the communication. The app connects the decoration via unencrypted communication over the local network allowing an attacker to carry out man-in-the-middle attack.

The mobile app uses a UDP broadcast to port 5555 to discover the LEDs, in turn, it receives the IP address and the name of the device.

Twinkly Lights UDP

“All communications from the application to the lights is done through RESTful HTTP API endpoints on the lights on port 80. The communications are not encrypted, however the WiFi password is sent encrypted during set up (albeit trivial to decrypt).” reads the analysis published by
MWR InfoSecurity.

“As the communications are not encrypted, it is simple to Man-in-the-Middle the traffic and analyse the API.”

Once the mobile app has discovered the IP address of the lights, it authenticates with them, receives an authentication token and retrieves information about the device. Experts found a flaw in the authentication process, it only authenticates the lights to the app and not visa-versa

“First, the application makes a POST request to the endpoint ‘/xled/v1/login’ with a base64 encoded 32 bit random number. The lights respond with an authentication token, how long it will be valid for, and a base64 encoded response to the challenge. This response is based on the random challenge number, the MAC address of the lights and a shared secret.” continues the analysis.

“The phone application sets the authentication token as a HTTP header and sends the received challenge response back to the lights on the endpoint ‘/xled/v1/verify’. This finalises the authentication allowing for authenticated endpoints to be called. “

Experts found hardcoded credentials in the firmware that are used to connect to a private broker through the Message Queuing Telemetry Transport (MQTT) protocol for exchanging messages with remote IoT boards and sensors.

The MQTT protocol a publish-subscribe messaging protocol in which device/nodes connect to a central broker. Devices can subscribe or publish messages to message queues (‘topics’) which other devices can also subscribe or publish to.

Each Twinkly lights have 3 topics they subscribe/publish to:


“When the lights first turn on they publish their connection state, the SSID they are connected to, and their internal IP to the topic ‘/xled/status/$MAC’. This is an arguably low risk information disclosure.” continues the analysis.

“An interesting feature of MQTT allows you to subscribe to topics using wild cards, defined by the symbol ‘#’. Thus if we subscribe to the root with the topic ‘#’ we are subscribing to all topics and see all the lights publishing their information.”

Experts monitored the root for unique mac addresses and discovered at least 20,000 devices exposed online.

The experts pointed out that any node can publish to any topic, allowing anyone to issue commands to any set of lights. The experts were able to remotely control the lights in the office.

The experts demonstrated the remote management of the Twinkly lights carrying out the DNS rebinding attack technique.

A DNS rebinding attack allows any website to create a DNS name that they are authorized to communicate with, and then make it resolve to localhost.

This attack technique could be exploited to target a vulnerable machine and exploit vulnerabilities in applications running on the localhost interface or exposing local services.

The attacker only needs to trick victims into visiting a malicious page or view a malicious ad to launch the attack.

MWR Labs created a malicious webpage that once visited by the victims will allow the enumeration of all the devices on the local network. If Twinkly lights are present in the network they will be instructed to display the message ‘Hack the Planet!’

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SDUSD , data breach)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment