Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.
Unveiled last year at the International Consumer Electronics Show (CES), the Lightify indoor and outdoor lighting systems can be controlled and automated through a mobile application to help users save energy, personalize their environment and enhance comfort.
An analysis conducted by Rapid7 earlier this year revealed that Lightify products are plagued by a total of nine security holes that can be exploited to hack the devices and the networks they are hosted on.
One of the flaws found by researchers in the home version of Lightify is related to the storage of the user’s WiFi credentials (WPA PSK) in clear text in the iOS application. In the case of the pro version, experts discovered that the devices store a weak WPA2 PSK that can be cracked in just a few hours. These issues have been assigned the identifiers CVE-2016-5051 and CVE-2016-5056.
The home version of the Osram Lightify product is also plagued by a flaw that allows an unauthenticated attacker to execute arbitrary commands for changing the lighting and reconfiguring the device (CVE-2016-5053).
“Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port,” Rapid7 said in its advisory.
In the professional version, experts identified a persistent cross-site scripting (XSS) vulnerability in the web management interface (CVE-2016-5055). The weakness allows malicious actors to inject and execute arbitrary code that can change the system’s configuration, exfiltrate or alter data, and hijack the product in an effort to launch browser-based attacks.
The mobile app used for configuring the Osram Lightify Pro system was found to cache screenshots of the current page. In some cases, these screenshots can contain the gateway’s password in clear text (CVE-2016-5059).
Both the home and pro versions of the product fail to use SSL pinning, which allows malicious actors to conduct man-in-the-middle (MitM) attacks in an effort to inspect or manipulate traffic. Furthermore, both versions are plagued by a ZigBee network command replay flaw that can be leveraged by an unauthenticated attacker to disrupt lighting services.
Osram was informed about the vulnerabilities in mid-May and it will soon release patches for most of them, except the SSL pinning and ZigBee-related issues.
“OSRAM agreed to security testing on existing LIGHTIFY products by security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August,” the company told SecurityWeek.
“RAPID7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities,” it added.
This is not the first time Rapid7 has analyzed the security of Internet of Things (IoT) products. The company recently warned users that a vulnerability in Comcast’s Xfinity Home Security system could allow thieves to break into homes without triggering the alarm.