Osram smart lighting flaw lets hackers breach home Wi-Fi

Lightify smart bulbs potentially allowed access to home Wi-Fi networks

Security researchers have found critical flaws in Osram Lightify smart bulbs that could enable hackers to breach home Wi-Fi networks.

Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights, according to Tod Beardsley, senior security research manager at Rapid7, whose researcher Deral Heiland discovered the problems.

Advertisement - Article continues below

In a blog post, Beardsley said: "Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

"With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices."

One of the most critical flaws was in the default WPA2 pre-shared key on the Pro solution (CVE-2016-5056). This extremely small keyspace of limited characters and a fixed, short length makes it possible to crack a captured WPA2 authentication handshake in less than 6 hours, leading to remote access to the cleartext WPA2 PSK.

It took the researchers less than six hours to crack the WPA2 PSK on one device.

Rapid7 said that at the time of disclosure, Osram had indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in its latest patch.

Advertisement - Article continues below
Advertisement - Article continues below

In a statement, Osram said that since being notified about the vulnerabilities identified by Rapid7, it "has taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August".

It added that the security researchers also highlighted certain vulnerabilities within the ZigBee protocol, "which are unfortunately not in Osram's area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities".

Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, told IT Pro that the initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something of a backseat.

"However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate," he said.

Advertisement - Article continues below

Thomas Fischer, global security advocate at Digital Guardian, told IT Pro that companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there're a much higher chance mistakes will be made and vulnerabilities missed.

"It is critical that organisations developing IoT technologies and even those selling them ensure these products have been developed, built and sold with security in mind," he said.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020