Osram smart lighting flaw lets hackers breach home Wi-Fi
Lightify smart bulbs potentially allowed access to home Wi-Fi networks


Security researchers have found critical flaws in Osram Lightify smart bulbs that could enable hackers to breach home Wi-Fi networks.
Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights, according to Tod Beardsley, senior security research manager at Rapid7, whose researcher Deral Heiland discovered the problems.
In a blog post, Beardsley said: "Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.
"With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices."
One of the most critical flaws was in the default WPA2 pre-shared key on the Pro solution (CVE-2016-5056). This extremely small keyspace of limited characters and a fixed, short length makes it possible to crack a captured WPA2 authentication handshake in less than 6 hours, leading to remote access to the cleartext WPA2 PSK.
It took the researchers less than six hours to crack the WPA2 PSK on one device.
Rapid7 said that at the time of disclosure, Osram had indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in its latest patch.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
In a statement, Osram said that since being notified about the vulnerabilities identified by Rapid7, it "has taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August".
It added that the security researchers also highlighted certain vulnerabilities within the ZigBee protocol, "which are unfortunately not in Osram's area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities".
Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, told IT Pro that the initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something of a backseat.
"However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate," he said.
Thomas Fischer, global security advocate at Digital Guardian, told IT Pro that companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there're a much higher chance mistakes will be made and vulnerabilities missed.
"It is critical that organisations developing IoT technologies and even those selling them ensure these products have been developed, built and sold with security in mind," he said.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
LaunchDarkly to "double down" on observability with Highlight acquisition
News Highlight's observability tools will be integrated into LaunchDarkly's Guarded Releases software deployment service
By Daniel Todd
-
Samsung Galaxy Tab S10 FE review
Reviews The Tab S10 FE retains the feel and core capabilities of Samsung's high-end S10 tablets, but compromises on the display and the performance
By Stuart Andrews