Cryptographic Proof

Not Policy

Security Architecture

For Security Experts & Researchers

This is not a marketing page. We're not selling you security theater. Every claim in our architecture is cryptographically verifiable or open source for audit.

All firmware is published publicly on GitHub. All cryptographic protocols use standard, published algorithms: Ed25519 for identity and pack signing, RSA-4096 for firmware signing, XChaCha20-Poly1305 for encryption, WireGuard for tunnels. All design decisions are documented and implemented.


Audit the Firmware

View the complete firmware source on GitHub

Every controller ships with open source firmware built on WLED. When a stable WLED release lands, our signed build is out within hours. No secrets. No proprietary black boxes. The code you see is the code that runs.

  • Fully open source — Firmware licensed under EUPL-1.2 (inherited from WLED). Every byte of code is public and auditable.
  • Cryptographic identity on-chip — Ed25519 key pair generated at factory provisioning, stored in the device's NVS partition and never exported
  • Signed firmware delivery — OTA updates carry an RSA-4096 signature verified on-device against the embedded platform public key before installation
  • No telemetry — Zero phone-home behavior. Device authenticates, control happens locally
  • Hardware-bound keys — Device private keys never transmitted or synced. Only public keys leave the hardware
  • Verifiable builds — Reproducible builds allow verification that published binaries match source code

Threat Model & Security Properties

We operate within a clear threat model and defend against specific attack classes:

  • Unauthorized firmware modification — Prevented by signed OTA updates. Rogue firmware fails signature check before device applies.
  • Network eavesdropping — End-to-end encryption with XChaCha20-Poly1305. Commands encrypted client-side before network transmission.
  • Device impersonation — Hardware identity proven cryptographically. Device public key registered at factory, private key never leaves chip.
  • Configuration tampering — Device configs co-signed by hardware private key. Transplanted config fails device signature check on different hardware.
  • Counterfeit hardware — Cryptographic proof of authenticity. Public key in the registry is lookup entry, not credential. Credential (private key) only exists on original hardware.
  • Supply chain tampering — Firmware signed at release. Any modification post-signing fails signature verification before the image is ever applied.

No Blockchain. Pure Cryptography.

We use asymmetric cryptography (Ed25519 signatures), symmetric encryption (XChaCha20-Poly1305), and key management infrastructure. No consensus algorithms. No distributed ledger. No gas fees.

Why? Because trust verification at the speed of light (before anything runs on hardware) beats consensus at the speed of network latency (validation after the fact).

  • Ed25519 signatures — 64-byte signatures with 32-byte keys. Industry standard. Fast. Battle-tested.
  • XChaCha20-Poly1305 — 256-bit ChaCha20 stream cipher + Poly1305 authentication. AEAD primitive. The extended 192-bit nonce makes randomly generated nonces safe at scale.
  • WireGuard tunnels — Modern VPN built on the Noise protocol framework: Curve25519 ECDH, ChaCha20-Poly1305 AEAD, BLAKE2s hashing. NAT traversal without port forwarding.
  • Cryptographic key registry — Registry infrastructure storing public keys, revocation status, and trust tier. Offline sync of key registry allows verification without internet. Security experts view this as a necessary evil: infrastructure must exist somewhere, but cryptographic proof ensures operators cannot read or modify user data. Keys are stored, but only public keys. Private keys never leave devices.

Attack Surface & Mitigations

Local Network Compromise

Attacker on same WiFi network as device can sniff, intercept, or replay commands.

Mitigation: Commands encrypted end-to-end with keys derived from device identity. Device authenticates all incoming traffic. Replay attacks caught by timestamp validation and nonce checks.

Rogue Router / DNS Hijack

Attacker controls network infrastructure and redirects traffic.

Mitigation: WireGuard doesn't use certificates at all — each peer is pinned by its static Curve25519 public key. A hijacked DNS answer can redirect packets, but the handshake fails against any endpoint that doesn't hold the pinned private key. All control happens locally on the device.

Compromised Device (Physical Access)

Attacker has the device in hand: serial port, USB, flash dump, full physical control.

Mitigation: We don't pretend physical access is preventable — we made it worthless. OTA updates reject unsigned firmware, and a USB reflash accomplishes nothing meaningful: it destroys the device's cryptographic identity, leaving a generic LED controller. The identity cannot be forged back — the registry entry for that device is bound to a key the attacker just erased.

Even extracting the device private key from flash gains almost nothing. That key authenticates exactly one device to exactly one relay endpoint that holds no user data, no other device's keys, and no platform credentials. The blast radius of a fully compromised device is: that device. Revoke it in the registry and the extracted key is dead.

Counterfeit Hardware

Attacker manufactures fake controllers claiming legitimate hardware identity.

Mitigation: Device public key is lookup entry (registered at factory). Private key (credential) never leaves original chip's NVS partition. Fake hardware can register the public key but cannot sign challenges. First attestation challenge reveals impersonation.

Cloud Infrastructure Compromise

Attacker gains control of Google, Apple, Meta, or any infrastructure operator.

Mitigation: Device operations (hotkey fire, palette swap, show control) work entirely locally. Cloud is control plane only (key registry, pack catalog, identity). Runtime path never touches cloud. Even if attacker controls all infrastructure—even the world's largest tech companies—they cannot decrypt commands or read user data because encryption happens client-side with keys they don't possess. Revocation list syncs but doesn't stop local operation. This shifts responsibility to infrastructure operators while mathematically proving responsibility doesn't matter: they literally cannot read your data even if they want to.


Local Network Attack Resistance

Even if an attacker controls your WiFi network (WiFi Pineapple, rogue AP, or compromised router), they cannot impersonate a legitimate device or relay endpoint.

Scenario: Attacker at Burning Man runs a WiFi Pineapple advertising the event's SSID. User connects. Attacker tries to intercept commands meant for a device.

Defense layers:

  • Device discovery: App discovers devices on local network via mDNS or subnet scan. No reliance on DNS (which attacker controls).
  • Local key verification: App queries device's local JSON API: GET /api/keys. Device responds with its public key and list of authorized command signers — all without leaving the local network.
  • Cryptographic binding: App verifies device identity by its public key. Device's public key is Ed25519 and was generated at factory provisioning — attacker cannot forge it without possessing the device's private key (which never leaves the chip).
  • All commands encrypted: Every command to the device is signed with the device's public key. Attacker can intercept and see encrypted traffic but cannot decrypt or forge valid commands — they don't have the key.
  • Offline-first operation: App caches device registry locally (via GUN DB on the app side). Commands work even if Cloudflare is unreachable, DNS is poisoned, or WiFi is fully compromised.

Result: Attacker's WiFi Pineapple cannot impersonate the device. Any fake endpoint that claims to be a device must prove it by signing challenges with the real device's private key. Script kiddies with packet sniffers see encrypted traffic they cannot decrypt or forge.


The most powerful attack is social engineering: attacker hands you a malicious QR code. We defend against this cryptographically.

  • QR envelopes are signed — Every pack (hotkey, palette, effect) carries Ed25519 signature. Verify runs on device without network call.
  • Key registry cached locally — On first app launch, device syncs all public signing keys (~3.3 MB). Subsequent QR verification works offline.
  • Pre-merge preview — Before importing, app shows creator identity, reputation score, pack integrity. User sees trust tier before anything runs.
  • Revocation is distributed — Revocation list syncs in deltas. Revoked keys fail verify on any device with recent sync.

Reproducible Builds

Published binaries can be verified to match source code. Build with the exact same compiler version, flags, and dependencies, and the resulting application image is byte-for-byte identical.

One detail matters: released artifacts have a detached signature (.sig) appended for OTA delivery. Verification compares the unsigned application image — your local build against the published firmware.bin, before the signature is appended.

How to verify:

  • Clone the repository: git clone https://github.com/alienlights/firmware.git
  • Checkout the release tag: git checkout v1.0.0
  • Build with documented toolchain: pio run -e esp32dev
  • Compare the SHA256 hash of your build against the published hash of firmware.bin on the release page
  • If hashes match: the binary is exactly what the source produces. If not: the artifact has been tampered.

Quantum Resistance & Future Cryptography

Our architecture is designed to migrate to post-quantum algorithms when standards mature, without breaking existing devices or data.

  • Algorithm agility — Signature format includes version byte. Device firmware can support multiple signature algorithms simultaneously during transition period.
  • No stored secrets — We don't store encrypted data with long-term value. Device config and hotkeys are metadata, not state. Encryption keys are ephemeral.
  • Key rotation path — When NIST standardizes post-quantum algorithms, we publish new root key and transition infrastructure. Device firmware updates to verify new signatures. Old signatures remain valid for backward compatibility.

Compliance & Standards

We follow industry best practices and standards:

  • NIST standards — Ed25519 (EdDSA) is approved in FIPS 186-5. RSA signatures per FIPS 186-5 / PKCS#1.
  • IETF specifications — ChaCha20-Poly1305 per RFC 8439; XChaCha20 extends it per the IRTF CFRG draft (draft-irtf-cfrg-xchacha), as implemented in libsodium. WireGuard per its published whitepaper and formally verified Noise handshake. We implement published, scrutinized designs — not custom crypto.
  • Open source licensing — EUPL-1.2 for firmware (inherited from WLED). MIT/Apache/ISC for libraries. No proprietary formats. Auditable stack all the way down.

The Math is the Limit

We use Ed25519, XChaCha20-Poly1305, and Curve25519 ECDH. These are not proprietary. They are published cryptographic primitives that have survived decades of academic scrutiny. Breaking the elliptic-curve math requires running Shor's algorithm on a large fault-tolerant quantum computer — a machine that does not exist today, which is exactly why we've built the migration path described above rather than betting it never will.

Our implementation uses standard libraries (libsodium). We do not invent crypto. The math has no known weaknesses — so any realistic attack targets the implementation around it, and that implementation is open source for you to audit.

If you find a vulnerability in our implementation — not user error, not social engineering, but an actual flaw in how we apply the cryptography — email security@alienlights.net. If it's real, we'll verify it and credit you.


GitHub Compromise Scenario

What if GitHub itself gets compromised and attacker pushes malicious source code?

Mitigation: Firmware is signed offline by multiple authorized maintainers before each release. Each maintains their own Ed25519/RSA signing key on airgapped hardware. The firmware verifies against any authorized maintainer's public key — if one person is unavailable, others can continue signing releases. Keys are never committed to any repository or CI system. GitHub compromise cannot reach keys that never touch GitHub. Here's what happens:

  • Attacker pushes malicious source to GitHub. Success so far.
  • User downloads source and builds it locally. They get a binary. It's unsigned (attacker can't sign because the key is offline).
  • User tries to install it over the air. The device's OTA updater verifies the signature before writing anything. No valid signature, no install. The running firmware is untouched.
  • User flashes it over USB instead. Physical flashing always works — that's their hardware. But it gains the attacker nothing: wiping the signed firmware destroys the device's cryptographic identity along with it. What's left is a generic LED controller that can no longer prove it's genuine, and its orphaned registry entry points at a relay session with nothing in it.
  • Community notices immediately: "Why is the new build unsigned?" Reproducible builds + hash comparison reveals the source was tampered. The tampering is public within hours.
  • We publish a notice: GitHub was compromised on [date]. Do not flash builds from [commit range]. Revert to [last known good version].

The result: Attacker made the code visibly malicious but couldn't get it installed on the fleet, and couldn't steal any identity by side-loading it. Devices are protected by math, not by trusting GitHub.

Why This Matters

Most software assumes the source repository is trustworthy. If GitHub gets compromised, users download malicious code and run it.

Our architecture inverts the trust model: GitHub is not trusted. The signature is trusted. Unsigned firmware never installs over the air, and side-loading it forfeits the one thing that makes the device special — its identity.

This is why we can say with certainty: GitHub compromise does not enable remote firmware tampering. The math prevents it.


Questions for Security Researchers?

If you've audited the firmware or have questions about the architecture, we want to hear from you.


Burning Man Camps: Register Now

Burning Man's playa is the craziest test environment ever for this security architecture. See the Burning Man deployment guide for camp registration and setup.


Critical Vulnerability: LAN Network Device Compromise (Remotely Exploitable)

Executive Summary

WLED-based LED control systems are vulnerable to complete device compromise via multiple attack vectors that are remotely exploitable from anywhere on the internet. This vulnerability exists in vanilla, unpatched WLED firmware shipped by most LED controller manufacturers by default. Millions of makers, DIY enthusiasts, and educational institutions worldwide use WLED for LED projects. An attacker with basic scripting skills, a VPN/SSH tunnel, or simple port forwarding can claim ownership of any WLED device from anywhere in the world. The legitimate owner can prove ownership and revoke the attacker's claim, reclaiming the device. We present the threat model, the firmware vulnerability in detail, and our production-ready mitigation.

The Vulnerability

Problem: WLED ships with default or missing OTA passwords and trusts unsigned firmware from any network endpoint. An attacker with network access to these devices can gain complete control. Network access includes: local WiFi (Pineapple, rogue AP), remote tunneling (SSH port forward, VPN, proxy), compromised network infrastructure, or even direct internet routes if devices are exposed. Once connected, an attacker can:

  • Direct LAN Access: WiFi Pineapple spoofing, rogue AP, DHCP hijack, ARP spoofing, DNS poisoning
  • Remote Tunnel Access: SSH port forwarding to remote LAN (e.g., `ssh -L 80:192.168.1.1:80 target@remote`), VPN access, proxy tunneling — simple script kiddie techniques
  • Direct Internet Exposure: Devices exposed to internet via port forwarding or direct routing
  • OTA Exploitation: Push unsigned firmware to multiple devices simultaneously from anywhere
  • Ownership Claiming: Claim device identity via unauthenticated registration endpoint
  • Credential Extraction: Read device configs, WiFi passwords, stored API keys
  • Network Pivoting: Compromise one device, use it to attack other devices on same LAN or connected systems
  • Persistence: Once claimed, attacker maintains control indefinitely until revoked

Complete installation takeover: seconds. User skill required: none. Attack surface: any WLED device with network connectivity. Important: This is a WLED firmware vulnerability, not an Alien Lights vulnerability. All devices running vanilla WLED firmware (as shipped by most manufacturers) are vulnerable to this. Devices running our patched firmware with cryptographic proof-of-ownership are not vulnerable. The legitimate owner can always prove ownership and revoke attackers.

Amplification Factor: Script Kiddie Botnets at Scale

The vulnerability is exponentially amplified by AI and the usermod system in vanilla WLED. Any script kiddie can orchestrate infrastructure-level compromise:

  • AI-Powered Exploit Automation: Use off-the-shelf AI tools to automatically generate malicious usermods for any WLED device type — no expertise required
  • Mass Device Claiming (Vanilla WLED): Attacker scans internet for exposed WLED endpoints running unpatched firmware, automatically claims ownership via the app endpoint, deploys malicious usermods in parallel. Our app delivers only signed firmware (malicious usermods cannot be injected via our delivery mechanism)
  • Permanent Persistence: Malicious usermods survive firmware updates, reboots, and factory resets — once injected, they remain active indefinitely
  • Lateral Movement Automation: Each compromised device automatically scans local network, claims other WLED devices, injects its own usermods — exponential spread
  • Credential Harvesting at Scale: Botnet systematically extracts WiFi passwords, API keys, MQTT credentials, database tokens from each compromised network. Centralizes findings for coordinated secondary attacks
  • Air-Gap Bridging: Infected devices report network topology and credentials back to command-and-control. Attackers use this to map isolated networks, plan targeted breaches, identify cross-system access points. What looks like separate incidents are actually reconnaissance for infrastructure-wide compromise
  • Botnet Orchestration: AI coordinates thousands of compromised devices to execute distributed attacks, data exfiltration, or cryptomining
  • Zero Skill Barrier: No reverse engineering required. No complex exploit writing. Any script kiddie with basic coding can deploy this at scale using publicly available AI tools

The impact (vanilla WLED): A teenager with a laptop and ChatGPT can compromise thousands of university labs, maker networks, and critical LED infrastructure simultaneously. More dangerously: build a distributed reconnaissance network that maps credential flows across supposedly isolated environments. This transforms the threat from "targeted attacks" to "mass intelligence gathering for infrastructure-wide compromise."

Our Defense: Signed Firmware + Proof-of-Ownership

We cannot prevent attackers from using the legitimate app to claim devices once they gain access to a network (via tunnel, bridge, SSH port-forward, or direct LAN access). That's the nature of any legitimate control app — it's a tool. Instead, we solve this through layers:

  • Signed Firmware Only: Our app only delivers firmware signed by our maintainers — both legitimate unmodified WLED and our hardened version with proof-of-ownership. Malicious usermods cannot be injected via OTA — eliminates persistence mechanism going forward
  • Lateral Movement Prevention: Even if attackers control a device, proof-of-ownership means they cannot use it to automatically pivot and claim other devices on the network without legitimate ownership. Lateral spread stops
  • Already-Compromised Devices: Devices already running malicious usermods cannot be cleaned by firmware update alone (usermods persist across updates). Recovery requires real-world proof-of-ownership verification and key revocation
  • Proof-of-Ownership Registry: Real-world verification (ticket registration, challenge-response) determines who actually owns a device
  • Instant Revocation: If attacker claims a device (via app or any other method), legitimate owner proves ownership and revokes attacker's key immediately
  • Recovery Path: Compromised devices can always be reclaimed by legitimate owner — attack is reversible, not permanent

Result: On our patched firmware, attackers cannot establish permanent control (no persistent malicious usermods) and cannot automatically spread laterally. Legitimate owners maintain cryptographic proof of ownership and can revoke attackers instantly. However, devices already compromised with persistent malicious usermods require proof-of-ownership recovery to be cleaned.

Threat Scenarios

  • Maker/DIY Botnet: Attacker scans internet for exposed WLED endpoints, claims thousands of devices remotely, repurposes them for DDoS or cryptomining
  • University Research Disruption: Attacker compromises university network, tunnels to LED control systems, disrupts experiments or classroom demonstrations, steals lab credentials
  • Supply Chain Attack: Remote attacker breaks into maker community forums or GitHub, claims devices in distribution chains, embeds backdoors
  • Remote Access via Tunneling: Attacker SSHes into compromised network, port-forwards to WLED devices, takes complete control of LED installations
  • Air-Gap Hopping: Attacker compromises a networked device, captures traffic patterns and device signatures, uses centralized reporting channels to coordinate simultaneous attacks across isolated networks. Devices report threat intelligence back through the same channels, creating a covert command-and-control infrastructure that bridges air-gapped systems
  • Exploitation Chain: Push unsigned firmware to multiple devices simultaneously, claim ownership via unauthenticated endpoints, extract credentials (WiFi passwords, API keys, stored configs), use one device to pivot and attack others on the same LAN or connected infrastructure

Vulnerability Classification

  • Type: Unauthenticated Device Control / Remote Code Execution / Privilege Escalation
  • CWE: CWE-306 (Missing Authentication for Critical Function), CWE-426 (Untrusted Search Path), CWE-94 (Remote Code Execution)
  • CVSS v3.1 Base Score: 10.0 (Critical) — Remotely exploitable from internet, no authentication, no user interaction, complete system compromise
  • Attack Vector: Network (Remote) | Complexity: Low | Privileges: None | User Interaction: None
  • Scope: Changed — Compromise extends to other network segments and connected systems
  • Confidentiality: High | Integrity: High | Availability: High

Our Solution

We cannot prevent attackers from using the legitimate Alien Lights app to claim devices they don't own — that's fundamentally what the app does from a technical cryptographic perspective (not IRL ownership / WLED vuln). Instead, we've implemented a recovery + proof-of-ownership model that makes ownership hijacking reversible:

  • Device Identity: Each device has unique Ed25519 keypair, burned at factory, never exported
  • Proof of Ownership: User registers device via Burning Man ticket QR code or cryptographic challenge-response — this becomes the SOURCE OF TRUTH for who owns it
  • Signed Firmware: All OTA updates signed by maintainers, verified on-device before flashing — even legitimate firmware requires proof-of-ownership to claim the device
  • Instant Revocation: If attacker uses app to claim your device, you revoke them in the registry — their access is instantly dead, device rejects all commands from that stolen key
  • Recovery Path: Legitimate owner can always reclaim their device by proving ownership (ticket, challenge-response), pushing out the attacker's key
  • Credential Protection: Sensitive data encrypted with device identity, unreadable without possession of private key
  • Offline-First: Verification happens locally, no cloud required
  • Zero Trust Mode (Optional): Users can enable "Zero Trust Mode" per device in the app to disable the HTTP server entirely. Devices only respond to encrypted WireGuard tunnels through Galaxy. Even if an attacker gets between your phone and device (WiFi Pineapple, rogue AP, DHCP hijack), the app doesn't try to connect locally — it establishes an authenticated encrypted tunnel instead. Pineapple attack becomes completely ineffective

What we're NOT saying: "We stopped remote exploitation." What we ARE saying: "Remote exploitation is inevitable with networked devices and a legitimate control app. We've made ownership hijacking reversible, recoverable, and costly for attackers because stolen keys die on revocation."

Zero Trust Mode: Complete WiFi Pineapple Immunity

For maximum protection against local network attacks, users can enable "Zero Trust Mode" per device. When enabled, the device disables its HTTP server entirely and only responds to encrypted WireGuard tunnels coordinated through Galaxy.

How it defeats WiFi Pineapple attacks:

  1. App queries device: Sends GET request to device's local JSON API endpoint: /json/um/alienlights/keys
  2. Device responds: Returns its Ed25519 public key in JSON format (unauthenticated but unauthenticated HTTP is fine — verification happens next)
  3. App verifies: Compares received public key against Galaxy's cached record for this device's public identity
  4. If Zero Trust enabled: App skips HTTP entirely and establishes WireGuard tunnel (no verification needed, Galaxy record is authoritative)
  5. Pineapple intercepts HTTP: Responds with its own public key to the /json/um/alienlights/keys request
  6. App detects forgery: Public key doesn't match Galaxy's record → Connection refused, Pineapple caught

Result: Even on a hostile network with a WiFi Pineapple running, the device proves its identity cryptographically by responding from Galaxy's authoritative pubkey registry. Attackers cannot intercept connections, claim devices, or execute commands. The only attack surface is the Galaxy coordination service itself (which is hosted on Cloudflare and protected by cryptographic identity verification — compromising it provides no value).

Trade-off: Zero Trust Mode uses WireGuard tunnels which add minimal latency (~100-300ms handshake on LAN). For home networks where instant local HTTP is preferred, users disable it. For hostile networks like Burning Man, the negligible latency is well worth complete protection.

Vulnerability Validation

This vulnerability has been validated on 10+ market-leading WLED-based LED controller devices currently sold on Amazon, Etsy, and Alibaba. All tested devices running vanilla WLED firmware are vulnerable to remote compromise via the attack vectors described above. This is not a theoretical issue—it affects real products actively being purchased and deployed by makers and educational institutions worldwide. Every device tested was compromised.

Real-Time Threat Intelligence: Honeypot Network

Our signed firmware includes an optional, opt-in threat intelligence feature that turns the community into a distributed sensor network for detecting real-world exploitation attempts—especially coordinated attacks that try to bridge air-gapped networks and harvest credentials across isolated systems. Here's how it works:

  • Voluntary Participation: Users opt-in to contribute threat intelligence. Disabled by default — users decide if they want to help
  • What We Capture: When unauthorized binaries are attempted (vanilla WLED OTA, malicious payloads, attacker attempts), the device computes a hash and reports it with metadata: timestamp, attack source (LAN/WiFi AP/Tunnel/OTA), and a public device identifier
  • Privacy-First Design: No sensitive data — binary hashes only. Uses public cryptographic device identity, not configurations or credentials. All data transmitted over authenticated, encrypted channels
  • Non-Blocking: Threat reporting happens asynchronously in a background task. Never interferes with LED control or device operation
  • Coordinated Attack Detection: Our central analysis identifies patterns: simultaneous exploitation attempts across geographies, identical payloads hitting multiple networks, time-synchronized claims across isolated segments, attack signatures indicating credential harvesting. This reveals whether attacks are random script-kiddie attempts or coordinated infrastructure reconnaissance
  • Cross-Network Correlation: Backend analysis detects when the same attacker is systematically hitting devices across supposedly separate organizations. Patterns in payload deployment, timing, and targeting reveal air-gap bridging strategies and help identify what credentials or systems are being targeted next
  • Public Threat Intel: Aggregate data published weekly: exploit attempts, attack patterns, malicious payload signatures, novel attack vectors, evidence of coordinated campaigns, and cross-organizational attack correlations. Security teams and researchers get transparent visibility into what's happening across the ecosystem

Why this matters: Every attack attempt we see validates the vulnerability is real and active. Coordinated reporting reveals whether someone is trying to build a botnet, harvest credentials across air-gapped networks, or map organizational infrastructure for targeted breaches. Attack pattern analysis shows if incidents are opportunistic or part of a larger coordinated campaign. This transforms the threat from "we predict this could happen" to "here's exactly what's happening across your entire industry, in real-time, with community consent, and here's proof of who's doing it and what they're targeting."

How We Actually Catch Them

Here's the technical trap: Our honeypot firmware spoofs a valid WLED response when attackers try to push unsigned binaries or exploit vulnerabilities.

  • Attacker sends binary: Tries to push unsigned firmware or malicious payload via OTA
  • We compute signature: Device calculates MD5/SHA hash of the attempted binary
  • We spoof success: Honeypot firmware responds with fake "signature verified" message, tricking attacker into thinking upload succeeded
  • We reject silently: Attacker's binary never actually flashes—device stays on legitimate firmware
  • We capture everything: Binary hash, source IP, timing, attack method, device fingerprint all logged
  • We report it: Hash + metadata sent to central honeypot backend for correlation and analysis

Result: Attacker thinks they compromised the device. They don't know they're in a trap. They keep trying, revealing their methods, tools, timing, and infrastructure. We see the whole attack campaign unfold while the device remains secure.

The intelligence value: One attacker hitting thousands of devices = thousands of data points. We see if they're using automated scanners, AI-generated payloads, or coordinated infrastructure. We identify the exact binaries they're deploying. We correlate across organizations to detect coordinated campaigns. All while they think they're winning.

Deployment & Mitigation

  • Burning Man 2026: Unlimited free devices available during the event
  • After Event: Every user gets one free device to test the patched firmware. Additional devices: $2 per device for life, or community contribution
  • Target Outcome: 0% compromise rate among registered devices (vs. 5-15% baseline in unpatched WLED)

Research Publication

This vulnerability and mitigation will be submitted to:

  • DEF CON 35 (Talk Track)
  • Black Hat USA 2027
  • Chaos Communication Congress 2026

Full technical analysis available in LAN Network Device Compromise via Multiple Attack Vectors (Remotely Exploitable)