No hub required, Wi-Fi is built into the bulb
11-Watt, 1050 Lumens, equivalent to a traditional 75-Watt incandescent bulb
Control your bulb individually or as a group using your smartphone, or voice with Amazon Alexa, The Google Assistant or Microsoft Cortana
Ready to use anywhere around your home, such as table and floor lamps, ceiling fans and more
Estimated energy cost of $1.20 per year (based on 3 hours/day, cost varies on rates and usage)
Choose from millions of colors
Compatible with all 2.4 GHz Wi-Fi networks
How devices like this often work is: the app connects to a web service. The bulb connects to that same web service, with little or no security. So anybody can connect to that service and then to the bulb. Which is inside your home network. If they can exploit a vulnerability in the bulb’s firmware, now that light bulb is a computer they control inside your network. They might not be targeting you, but you’re now a target.
Which might not be a huge deal, depending, but it’s about five steps closer to hijacking your bank account than you want anyone to be.
There’s a good article by Matthew Garrett, who knows way more about crappy smart bulbs than anyone should probably have to: https://mjg59.dreamwidth.org/51910.html It’s about 18 months old but the general advice is still sound:
Wifi-only bulbs are almost certainly crap.
Bluetooth are better (as long as they don’t support wi-fi or you can and do turn that off), but inconvenient.
Zigbee bulbs will be more solid and safer generally, but cost a little more and you have extra equipment to deal with.
** Hue bulbs are basically the gold standard here, not only because they’re better designed, but because Philips actually cares about updating them when bugs or vulnerabilities are discovered.
@kensey Thank you for the write-up. I’ve never had any real use for these sort of bulbs, or most IOT stuff, but had thought about them for their novelty only. I’ve become increasingly concerned as various devices have climbed onto our local connection, but so far all have checked out to be secure. So, the info provided convinced me to give this the big Meh.
/giphy big meh
@kensey I dig what are saying, but these are fun, colorful, light bulbs. I am admittedly naive, but I really don’t think the Chinese are using these bulbs to hack my accounts. If I were so paranoid, I’d never be posting on a platform as open as this, and nor should you.
I’ve got some of these. They have a separate “white” mode vs. color. The white is a cromulent warm-ish white, BUT that’s the only thing that delivers the 1050 lumens. All the color modes are much dimmer. In fact, setting the white mode to 1% brightness is brighter than and of the colors at 100% brightness. For the price they’re okay, but don’t expect anything near 1050 lumens of color.
Are there any bulbs that allow anything like per-channel control of color? These, like many other bulbs, give you a sort of rainbow color picker. I’d really like something that lets you set the Red, Green, and Blue (and white if present) elements individually.
Is that 1050 Lumens, or 1050 Chinese Lumens?
Seriously though, the only way to use these things is to
have a second profile on your phone (or a burner/old phone) to do the one-time install of the malware app, then,
configure them all to use a guest network, or their own sandboxed network.
When you then link to your Alexa/Google account, and you say “turn on the living room light” the message most certainly goes to the Alexa cloud, then to the Chinese web server, and it sends a message back to the bulb. i.e. there’s likely no easy way to use these things on an isolated, internet-less bubble.
If you really want to use these, set up your firewall so they can ONLY talk to their Chinese server, and DROP packets to anywhere else, so they can’t be hijacked and then used to launch DOS attacks against stuff with your 100MBit-1GBit internet connection!
As a good measure, your firewall should probably also have very low bandwidth limits set, so that IF they were compromised, they would be crippled by your firewall
All that said, sometimes there’s third party firmware that can be used on these types of bulbs, but ONLY if the original firmware is old and you don’t first use the original app to provision them (where they’ll update their firmware automatically). Some of the 3rd party firmware requires a JTAG programmer, but if you’ve gotten this far, you probably already know most of this.
@InsideDayLabor@the_inevitable I’ve noticed my Smartlife bulbs still work from the SmartLife app on my honeypot phone acct with no internet access, but I don’t believe Alexa can talk to them without the smartlife-skill pesistent connection. It’s possible that, after setup, one could cut off internet access and still use them, but it might require an IFFT server for the Alexa, since the ‘native’ connection wouldn’t work.
@caffeineguy@the_inevitable If you flash them to remove the cloud, as you say, assuming they’ve got the right chip and you’ve got the right skills to disassemble them and solder wires to the right pads and the right serial cable to connect them to your computer, you’ll still need to be running a server on a computer to control them.
I don’t have the knowledge to talk to the security side of these bulbs, but it’s good to consider what others have said regarding that. I can only talk from someone who bought Geeni surge protectors from meh before, and bought these bulbs last time they were up here.
I had no issue connecting these to my existing account, and had no issue adjusting brightness and color through the Geeni app.
But I had to reach out to Geeni customer support before I could get any of them to show up in my Google Home, to be controlled from Google assistant. In the end, I had to supply the individual bulbs’ “virtual ID” directly to customer support before they would appear on Google’s app. They did resolve it, but there’s an increased chance you may need to jump through the same hoops for your home assistant.
I’m slowly changing many of my lights over to smart lights, and these were a great value when I bought them. Sure, there’s a possible extra hoop to jump through, but I didn’t personally find it inconvenient enough not to be worthwhile. You will have to weigh that added cost for yourself, but I feel they’re worth the price.
They’re decent lights. They’re only 1050 lumens on the ‘white’ mode, but nevermind that. They’ve got to connect to a 2.4 GHz network, so enjoy that if your 5ghz and 2.4ghz networks share an SSID. But whatever.
The real problem is that if they lose wifi, they blink. And you can’t stop them blinking. And then you have to remove and readd them in the app. They refuse to be regular lightbulbs if they’re not attached.
That said, I’ve had mine plugged in for a few days, and integrated with Google Home. It’s responsive and handy and easy to control.
I’m definitely going to be setting up an InternetOfShit VLAN for my IoT stuff, though.
@flynnski I’ve got several of these, and while they may go into blink mode to say “I’m ready to be connected to wifi,” mine have never done that because wifi went down.
Just lately I had to shorten the password on my 2.4GHz wifi because of a new gadget had stupid firmware, and that meant re-adding all my Geeni bulbs. The bulbs didn’t blink until I turned the power off and on 3 times (which is the prescribed method of getting them to join your network).
Possibly yours had older firmware, I suppose, with an ill-considered use of blink mode.