Osram’s intelligent home lighting system is riddled with flaws

“Intelligent” home lighting system Osram Lightify sports a number of security vulnerabilities, some of which could lead to compromise of the product and the users’ home or office network, Rapid7 researcher Deral Heiland has found.

How does Osram Lightify work?

“This lighting system begins with a wireless gateway that can be plugged into your standard wall outlet anywhere in your home or business and syncs wirelessly with your existing Wi-Fi network. The gateway connects to Lightify devices up to 50 per each gateway via the standard ZigBee home automation protocols,” it is explained.

“The free Lightify application runs on devices with Apple iOS7 or above and Android 4.1 or above. You can also use other useful home apps such as SmartThings Nest and Wink to control this lightbulb.”

What’s the problem?

The nine vulnerabilities Heiland found affect both the Home and Pro versions of the system. Some affect the mobile app, some the gateway, some the web management console, and some affect all of the devices that make the system.

They could allow attackers to discover the WiFi WPA pre-shared key of the user’s home WiFi, as well as the network’s password, launch browser-based attacks against the authenticated user’s workstation, access confidential data, and fiddle with the light installations.

More details about each of the flaws can be found in this blog post.

“At the time of this disclosure’s publication, the vendor has indicated that all but the lack of SSL pinning and the issues related to ZigBee rekeying have been addressed in the latest patch set,” Heiland shared.

Why is this important?

Aside from annoying us when they fail in the most inopportune moment for some (to most of us) arcane reason, smart office and home devices can introduce new avenues for potential remote exploitation and permanent compromise of enterprise and home networks.

And if we, and the infosec industry in general, talk a lot about the insecurity of the so-called Internet of Things, it’s because we’re becoming more and more surrounded and dependent on it.

We owe a lot to security researchers who take the time and effort to test the security of these devices, as most manufacturers don’t seem to yet consider it a very important thing. Why? Well, mostly because consumers still don’t.

UPDATE (28 July 2016):

“OSRAM agreed to security testing on existing Lightify products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August,” Help Net Security was told by Osram’s media relations teamleader Torsten Wolf.

“Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”