Osram smart lighting flaw lets hackers breach home Wi-Fi

Security researchers have found critical flaws in Osram Lightify smart bulbs that could enable hackers to breach home Wi-Fi networks.

Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights, according to Tod Beardsley, senior security research manager at Rapid7, whose researcher Deral Heiland discovered the problems.

In a blog post, Beardsley said: "Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

"With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices."

One of the most critical flaws was in the default WPA2 pre-shared key on the Pro solution (CVE-2016-5056). This extremely small keyspace of limited characters and a fixed, short length makes it possible to crack a captured WPA2 authentication handshake in less than 6 hours, leading to remote access to the cleartext WPA2 PSK.

It took the researchers less than six hours to crack the WPA2 PSK on one device.

Rapid7 said that at the time of disclosure, Osram had indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in its latest patch.

In a statement, Osram said that since being notified about the vulnerabilities identified by Rapid7, it "has taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August".

It added that the security researchers also highlighted certain vulnerabilities within the ZigBee protocol, "which are unfortunately not in Osram's area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities".

Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, told IT Pro that the initial wave of IoT implementations have mostly been about communications and connectivity, with the technical challenges of adding network connectivity to previously dumb, offline devices meaning that security has taken something of a backseat.

"However, as exciting as this concept is, the sheer volume of IoT devices has created a vast attack vector, and one that is growing at an unprecedented rate," he said.

Thomas Fischer, global security advocate at Digital Guardian, told IT Pro that companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there're a much higher chance mistakes will be made and vulnerabilities missed.

"It is critical that organisations developing IoT technologies and even those selling them ensure these products have been developed, built and sold with security in mind," he said.