Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities Found in Osram Smart Lighting Products

Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.

Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.

Unveiled last year at the International Consumer Electronics Show (CES), the Lightify indoor and outdoor lighting systems can be controlled and automated through a mobile application to help users save energy, personalize their environment and enhance comfort.

An analysis conducted by Rapid7 earlier this year revealed that Lightify products are plagued by a total of nine security holes that can be exploited to hack the devices and the networks they are hosted on.

One of the flaws found by researchers in the home version of Lightify is related to the storage of the user’s WiFi credentials (WPA PSK) in clear text in the iOS application. In the case of the pro version, experts discovered that the devices store a weak WPA2 PSK that can be cracked in just a few hours. These issues have been assigned the identifiers CVE-2016-5051 and CVE-2016-5056.Osram Lightify vulnerabilities

The home version of the Osram Lightify product is also plagued by a flaw that allows an unauthenticated attacker to execute arbitrary commands for changing the lighting and reconfiguring the device (CVE-2016-5053).

“Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port,” Rapid7 said in its advisory.

In the professional version, experts identified a persistent cross-site scripting (XSS) vulnerability in the web management interface (CVE-2016-5055). The weakness allows malicious actors to inject and execute arbitrary code that can change the system’s configuration, exfiltrate or alter data, and hijack the product in an effort to launch browser-based attacks.

The mobile app used for configuring the Osram Lightify Pro system was found to cache screenshots of the current page. In some cases, these screenshots can contain the gateway’s password in clear text (CVE-2016-5059).

Both the home and pro versions of the product fail to use SSL pinning, which allows malicious actors to conduct man-in-the-middle (MitM) attacks in an effort to inspect or manipulate traffic. Furthermore, both versions are plagued by a ZigBee network command replay flaw that can be leveraged by an unauthenticated attacker to disrupt lighting services.

Osram was informed about the vulnerabilities in mid-May and it will soon release patches for most of them, except the SSL pinning and ZigBee-related issues.

“OSRAM agreed to security testing on existing LIGHTIFY products by security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August,” the company told SecurityWeek.

“RAPID7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities,” it added.

This is not the first time Rapid7 has analyzed the security of Internet of Things (IoT) products. The company recently warned users that a vulnerability in Comcast’s Xfinity Home Security system could allow thieves to break into homes without triggering the alarm.

Related: Security Pros Show Extensive Distrust of IoT Security

Related: IoT Devices Not Properly Secured on Enterprise Networks

Related: The IoT Sky is Falling – How Being Connected Makes Us Insecure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.