Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities Found in Osram Smart Lighting Products

Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.

Researchers at security firm Rapid7 have identified several vulnerabilities in the home and professional versions of Osram’s Lightify smart connected lighting products.

Unveiled last year at the International Consumer Electronics Show (CES), the Lightify indoor and outdoor lighting systems can be controlled and automated through a mobile application to help users save energy, personalize their environment and enhance comfort.

An analysis conducted by Rapid7 earlier this year revealed that Lightify products are plagued by a total of nine security holes that can be exploited to hack the devices and the networks they are hosted on.

One of the flaws found by researchers in the home version of Lightify is related to the storage of the user’s WiFi credentials (WPA PSK) in clear text in the iOS application. In the case of the pro version, experts discovered that the devices store a weak WPA2 PSK that can be cracked in just a few hours. These issues have been assigned the identifiers CVE-2016-5051 and CVE-2016-5056.Osram Lightify vulnerabilities

The home version of the Osram Lightify product is also plagued by a flaw that allows an unauthenticated attacker to execute arbitrary commands for changing the lighting and reconfiguring the device (CVE-2016-5053).

“Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port,” Rapid7 said in its advisory.

In the professional version, experts identified a persistent cross-site scripting (XSS) vulnerability in the web management interface (CVE-2016-5055). The weakness allows malicious actors to inject and execute arbitrary code that can change the system’s configuration, exfiltrate or alter data, and hijack the product in an effort to launch browser-based attacks.

The mobile app used for configuring the Osram Lightify Pro system was found to cache screenshots of the current page. In some cases, these screenshots can contain the gateway’s password in clear text (CVE-2016-5059).

Both the home and pro versions of the product fail to use SSL pinning, which allows malicious actors to conduct man-in-the-middle (MitM) attacks in an effort to inspect or manipulate traffic. Furthermore, both versions are plagued by a ZigBee network command replay flaw that can be leveraged by an unauthenticated attacker to disrupt lighting services.

Advertisement. Scroll to continue reading.

Osram was informed about the vulnerabilities in mid-May and it will soon release patches for most of them, except the SSL pinning and ZigBee-related issues.

“OSRAM agreed to security testing on existing LIGHTIFY products by security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August,” the company told SecurityWeek.

“RAPID7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities,” it added.

This is not the first time Rapid7 has analyzed the security of Internet of Things (IoT) products. The company recently warned users that a vulnerability in Comcast’s Xfinity Home Security system could allow thieves to break into homes without triggering the alarm.

Related: Security Pros Show Extensive Distrust of IoT Security

Related: IoT Devices Not Properly Secured on Enterprise Networks

Related: The IoT Sky is Falling – How Being Connected Makes Us Insecure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.