Osram smart lighting flaw lets hackers breach home Wi-Fi

Lightify smart bulbs potentially allowed access to home Wi-Fi networks

Security researchers have found critical flaws in Osram Lightify smart bulbs that could enable hackers to breach home Wi-Fi networks.

Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights, according to Tod Beardsley, senior security research manager at Rapid7, whose researcher Deral Heiland discovered the problems.

In a blog post, Beardsley said: "Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

"With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices."

Advertisement - Article continues below
Advertisement - Article continues below

One of the most critical flaws was in the default WPA2 pre-shared key on the Pro solution (CVE-2016-5056). This extremely small keyspace of limited characters and a fixed, short length makes it possible to crack a captured WPA2 authentication handshake in less than 6 hours, leading to remote access to the cleartext WPA2 PSK.

It took the researchers less than six hours to crack the WPA2 PSK on one device.

Rapid7 said that at the time of disclosure, Osram had indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in its latest patch.

In a statement, Osram said that since being notified about the vulnerabilities identified by Rapid7, it "has taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August".

It added that the security researchers also highlighted certain vulnerabilities within the ZigBee protocol, "which are unfortunately not in Osram's area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities".

Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, told IT Pro that the initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something of a backseat.

Advertisement - Article continues below

"However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate," he said.

Thomas Fischer, global security advocate at Digital Guardian, told IT Pro that companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there're a much higher chance mistakes will be made and vulnerabilities missed.

"It is critical that organisations developing IoT technologies and even those selling them ensure these products have been developed, built and sold with security in mind," he said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020