The smart home of your dreams could potentially leak your personal information to hackers through an almost unimaginable vulnerability: light bulbs.

In a new paper, researchers from the University of Texas at San Antonio (UTSA) design and implement attacks that leverage characteristics of the light emitted by modern smart bulbs to “steal” users’ private data and preferences from other nearby devices.

“Your smart bulb could come equipped with infrared capabilities, and most users don’t know that the invisible wave spectrum can be controlled,” says paper co-author Murtuza Jadliwala, an assistant professor and Director of Security, Privacy, Trust and Ethics at the USTA’s Computing Research Lab. “Think of the bulb as another computer — any data can be stolen: texts or images. Anything that is stored in a computer.”

A smart bulb is an Internet-capable LED light bulb that enables lighting to be customized, scheduled and controlled remotely. Smart bulbs are among the most immediately successful offerings in the growing category of home automation and Internet of Things (IoT) products. According to a MarketsandMarkets report, the world’s smart lighting market is estimated to grow from US$7.9 billion in 2018 to US$21.0 billion by 2023.

Earlier this year, Amazon’s Echo smart speaker was found to be recording users’ conversations, which were reportedly heard by thousands of Amazon employees. Jadliwala believes that smart bulbs may be poised to become an even more attractive target for data privacy exploitation, even though they are embedded with very simple chips.

Smart bulbs connected to a home network rather than a smart home hub — a centralized hardware or software device where other loT products communicate with each other — are especially easy to target. If these bulbs are infrared-enabled, hackers can send commands via the invisible infrared light emitted by the bulbs. These commands can be used to hack into other IoT devices on the home network to steal data. Moreover, the victim would likely not notice such hacking because the commands would be transmitted within the owner’s home Wi-Fi network, where they might not be detected by Internet-based security systems.

Jadliwala says smart bulbs connected to dedicated home hubs are currently safer alternatives because they do not access any Wi-Fi networks, but he also believes smart bulb manufacturers will have to ramp up their security measures to limit the level of access such bulbs might have to other smart home appliances within a home system.

The paper Light Ears: Information Leakage via Smart Lights is on arXiv.