Researchers playing with Twinkly connected electrical lights discovered vulnerabilities that allowed them to display customized lighting effects and remotely turn off the lights. They estimate that approximately 20,000 devices would be available on the Internet. The LEDs of the Twinkly electric lights can be controlled individually. Users can manage their Twinkly smart decoration via a mobile application that sends unencrypted communications over the local network, making traffic analysis trivial. Exploiting the inherent weaknesses associated with authentication and communication of commands, the researchers were able to use the electric lights to create light shapes. Once the application knows the IP address of the lights, it receives an authentication token and retrieves information about the device. “The authentication process, while it could be a good idea, is imperfect” said researchers at MWR InfoSecurity, a company recently acquired by F-Secure. Given these security flaws, it would be easy for an attacker on the network to intercept the communication between the Twinkly lights and the mobile application and use them to manipulate the LEDs in custom patterns or turn them off.