HACKING A LIFX Mini white light bulb

Pwn the LIFX Mini white light bulb by



The Device

Bought on Amazon (30 euros). The light bulb is plugged. LIFX app is installed on an Android smartphone. Wi-Fi connection is set. The light bulb works fine.

Wunderbar, easy setup.

Fireproof paste all around

The most difficult is to clean the board and remove this paste.

The Setup

The major component of the module is identified as ESP32D0WDQ6, a SoC from ESPRESSIF.

Datasheet is available here. SDK & Tools are also available on GitHub. Some pins are soldered to easily connect with a FT2232H board. A little bit of PCB Reverse is needed.

Simple setup

Vulnerability n*1: Wi-Fi credentials stored in plaintext into the firmware

Vulnerability n*2: No security settings (at all)

Vulnerability n*3: Root certificate and RSA private key extracted

I decided to stop the investigation after that.


In a very short limited amount of time, three vulnerabilities have been discovered:

  • Wifi credentials of the user have been recovered (stored in plaintext into the flash memory).
  • No security settings. The device is completely open (no secure boot, no debug interface disabled, no flash encryption).
  • Root certificate and RSA private key have been extracted.



Founder of Aneddotica (Anecdotic) Magazine, webmaster and something more... FoaF Profile

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.