My first pass at this would be to put something like Charles between the wifi AP and the internet and taken a look at what was going on. After understanding the protocol, then would it be a lot easier to look for an OTA FW exploit or mitm attacks around the string manipulation functions used to communicate to the outside.
The guy tried that before I join the project, but at some point the specific bulb stopped communicating with the cloud, and we decided to embark on the firmware extraction adventure. Also, it seems like they use SSL with public be pinning, and I am not sure if this could be intercepted by Charles. Though, he gets another bulb soon, we can definitely try this again :)
