Osram ‘Smart Light’ Bugs Could Gain Corporate Wi-Fi Access
Osram Sylvania Lightify smart lighting systems have been detected with nine security holes, which could remotely allow hackers to launch browser-based or home attacks and even access corporate networks.
The vulnerabilities were discovered by the security researchers at Rapid7. Osram, which sells both Home and Pro products, claims it agreed to test its Lightify products by Rapid7. Similar to the Phillips Hue series, the technology provided by Osram is designed for users to set moods, brightness, and other lighting controls from their apps.
Rapid7 research lead, Deral Heiland, who discovered one of the most concerning of the nine vulnerabilities, is a cross-site scripting fault in the web management interface of the Pro product which could allow an attacker to launch browser-based attacks.
“As a result, a malicious actor can inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation.”
CVE-2016-5056 is another possibly dangerous vulnerability, which could allow remote attackers to access corporate wireless networks and from there go on to attack high value resources.
The problem lies with the system’s use of weak default WPA2 pre-shared keys (PSKs) – using only an eight character PSK and only drawing from “0123456789abcdef.”
Rapid7 was able to crack the code in less than six hours and in one case less than three hours, gaining access to the clear text WPA2 PSK.
They even found issues that allow attackers to do everything from turning off the lights and taking control of the management interface.
“Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the Web management console, to operational command execution on the devices themselves without authentication,” the security firm said in a statement.
Heiland claimed the bugs he found show “we need to build better policy around managing the risk and develop processes on how to deploy these technologies in a manner that does not add any unnecessary risk.”
The company contacted Osram on May 16 based on the timeline provided by Rapid7, who finally patched most of the nine issues. However, two issues still remain vulnerable: the issues related to ZigBee rekeying and the lack of SSL pinning.
Osram added: “Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”
Osram did not immediately respond to a request for comment.