[retSava]

Regarding 1 and 2 - while I'm not very familiar with the sec settings of this particular chip (esp32), what you can do is to store such settings in internal flash and have the fuse (or similar) setting active that disables reading out internal flash.

With this setup, you can snatch someones lamp and do this dance to get their wifi credentials. With what I suggest above, you can't extract the content and thus credentials with it. There are other ways and attacks - power glitching etc, but that bumps the struggle up one notch or two.

edit: you don't ship with the credentials, but when a user sets this up, you store this in internal flash per above.

[stefan_]

That's a very convoluted way to solve what is a non-problem to begin with. This is a light bulb screwed into a permanent light fixture. On or off, the ESP32 on this thing is powered.

So you just keep the WLAN credentials in RAM, RTC RAM if they even use low-power modes, and all of these problems go away. How often do you move light bulbs, after all?

[gh02t]

I don't think storing credentials in the RTC memory is a good option. In that scenario, if you accidentally turn off the power to the lamp you lose the configuration (unless they add a battery/supercap backup, which might be difficult given that there is not much space and a lot of heat). I do know that by default, the ESP32 SDK stores the last used WiFi credentials on the flash memory mostly unprotected, though this can be disabled.

I am failing to see a real problem here, however. If an attacker is able to steal your light bulbs, I feel like you have bigger problems. I guess the biggest concern is that if you get burglarized you should maybe change your wifi password? More of a concern if you have some bulbs mounted outside, but that's about it.

That said, LIFX should have enabled some of the security settings of the chip. Encrypted flash and setting the read protect bits especially would make this attack much more annoying. It's cool that we could potentially flash our own firmware on these things, but it's pretty lazy from a security point of view.