Novel Attack Technique Uses Smart Light Bulbs to Steal Data August 27, 2018 https://www.bleepingcomputer.com/ne...chnique-uses-smart-light-bulbs-to-steal-data/ Paper: "Light Ears: Information Leakage via Smart Lights" (PDF): http://arxiv.org/pdf/1808.07814.pdf
This depends on an adversary dropping malware that exfiltrates data by modulating smart lights in the infrared. That's cool and all. But damn, just having arbitrary malware opens up worlds of pain. Data exfiltration via encrypted connections is easy enough as it is.
Experts demonstrate how to exfiltrate data using smart bulbs November 27, 2018 https://securityaffairs.co/wordpress/78455/hacking/smart-bulbs-data-exfiltration.html
It's hopeless, isn't it? I mean, anyone paying attention would put all that IoT stuff in a subnet with tightly controlled Internet access. Or none at all. And if you absolutely need remote access, use a Tor .onion with authentication. Or even a well-secured VPN server. I knew that a couple decades ago, at least.
This is why it's a really good idea to segment internal networks, e.g. with pfSense with multiple LAN ports or VLAN. Not that hard, and can segregate local devices from iot. The way the home automation stuff seems to be going is via devices appearing as Rest controllable and discoverable elements via an API, either directly or via some gateway; then you have some form of controller including smartphones and Alexa etc. There's a plethora of these APIs including from the Gorillas, mostly proprietary. Personally, I'd not touch this stuff with a bargepole unless it were open source and implemented on an Rpi or something I had full control over, including its attempts to communicate elsewhere. As mirimir says, it's likely easier to exfiltrate directly from the smartphone (say), rather than do it indirectly as here.
Security Analysis of the LIFX Smart Light Bulb https://www.schneier.com/blog/archives/2019/01/security_analys_6.html