Osram smart lighting flaw lets hackers breach home Wi-Fi

Lightify smart bulbs potentially allowed access to home Wi-Fi networks

Security researchers have found critical flaws in Osram Lightify smart bulbs that could enable hackers to breach home Wi-Fi networks.

Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights, according to Tod Beardsley, senior security research manager at Rapid7, whose researcher Deral Heiland discovered the problems.

Advertisement - Article continues below

In a blog post, Beardsley said: "Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

"With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices."

One of the most critical flaws was in the default WPA2 pre-shared key on the Pro solution (CVE-2016-5056). This extremely small keyspace of limited characters and a fixed, short length makes it possible to crack a captured WPA2 authentication handshake in less than 6 hours, leading to remote access to the cleartext WPA2 PSK.

It took the researchers less than six hours to crack the WPA2 PSK on one device.

Rapid7 said that at the time of disclosure, Osram had indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in its latest patch.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a statement, Osram said that since being notified about the vulnerabilities identified by Rapid7, it "has taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August".

It added that the security researchers also highlighted certain vulnerabilities within the ZigBee protocol, "which are unfortunately not in Osram's area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities".

Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, told IT Pro that the initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something of a backseat.

"However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate," he said.

Advertisement - Article continues below

Thomas Fischer, global security advocate at Digital Guardian, told IT Pro that companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there're a much higher chance mistakes will be made and vulnerabilities missed.

"It is critical that organisations developing IoT technologies and even those selling them ensure these products have been developed, built and sold with security in mind," he said.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

5 May 2020
Visit/mobile/5g/355712/nokia-5g-speed-record
5G

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
Visit/cloud/cloud-computing/355742/microsoft-launches-public-cloud-service-for-health-care
cloud computing

Microsoft launches public cloud service for health care

21 May 2020