Security researchers have revealed several major vulnerabilities in Osram Lightify smart lighting systems which could allow remote hackers to launch browser-based attacks and even access corporate networks.
Osram, which sells both Home and Pro products, claims it agreed to testing of its Lightify products by Rapid7.
One of the most serious of the nine vulnerabilities discovered by Rapid7 research lead, Deral Heiland, is a cross-site scripting flaw in the web management interface of the Pro product which could allow an attacker to launch browser-based attacks.
“As a result, a malicious actor can inject code which could modify the system configuration, exfiltrate or alter stored data, or take control of the product in order to launch browser-based attacks against the authenticated user’s workstation.”
Another potentially dangerous vulnerability is CVE-2016-5056, which could allow remote attackers to access corporate wireless networks and from there go on to attack high value resources.
The problem lies with the system’s use of weak default WPA2 pre-shared keys (PSKs) – using only an eight character PSK and only drawing from “0123456789abcdef.”
Rapid7 was able to crack the code in less than six hours, and in one case under three hours, gaining access to the cleartext WPA2 PSK.
Heiland claimed the bugs he found show “we need to build better policy around managing the risk and develop processes on how to deploy these technologies in a manner that does not add any unnecessary risk.”
Osram explained in a statement sent to Infosecurity that the majority of bugs would be patched in the next version update, planned for August.
“Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”
Thomas Fischer, global security advocate at Digital Guardian, argued that IoT devices are often produced with “simplified hardware” which keep costs down but also means they “lack basic principals of integrity and failover.”
“Companies that attempt to add protection retrospectively will face a task of enormous magnitude, and there’s a much higher chance mistakes will be made and vulnerabilities missed,” he added.