Osram Smart Light Bugs Affect Wi-Fi Security


A hack of your computer is bad enough, but how about your lights?

Security researchers at Rapid7 discovered several vulnerabilities in the Osram Sylvania Lightify products. One of the more concerning bugs would have allowed an attacker who stole a device with access to the app to see a home network's Wi-Fi pre-shared key in plain text. In addition, Rapid7 discovered that attackers could conduct man-in-the-middle attacks and expose a person's traffic to the hacker. Rapid7 even found issues that could allow hackers to change lighting and reconfigure a lighting setup.

On the Pro side, hackers could see a password in clear text without any trouble.

"Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the Web management console, to operational command execution on the devices themselves without authentication," the security firm said in a statement.

Based on the timeline provided by Rapid7, the company contacted Osram on May 16, which ultimately patched the majority of the nine issues. However, as of this writing, two remain vulnerable: the lack of SSL pinning and the issues related to ZigBee rekeying.

Osram did not immediately respond to a request for comment.

Osram Lightify provides indoor and outdoor lighting products that can be controlled via a mobile app. Similar to the Phillips Hue series, the technology is designed for users to set moods, brightness, and other lighting controls from their apps. In this case, Home and Pro versions were affected.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Russian Hackers Target New York Times

    The New York Times appears to be the latest target of Russian hackers.Security agencies believe the hackers are part of the same Russian group that infiltrated the Democratic Party over the summer.
  • 5300c769af79e

    10 Tools To Bring Virtual Reality To Life

    Here's a look at 10 tools that will shape that virtual world.Of all the virtual reality technology emerging from labs or on the horizon, Magic Leap appears to be the most mesmerizing.
  • 5300c769af79e

    FCC Votes to Boost Emergency Alerts With Links, Better Targeting

    But it still struck some as odd that in 2016, when we can seemingly do everything with our phones, that emergency alerts did not support photos.The Federal Communications Commission this week took steps to change that when it approved new rules for the Wireless Emergency Alerts (WEA) system that, among other things, requires carriers to supports links to photos.
  • 5300c769af79e

    Every Time You Check to See if Your OnePlus 3 Has an Update, You Expose Your IMEI

    According to users on reddit and the OnePlus forums, every time an owner of a OnePlus 3 checks to see if they have an update via the Settings menu, their IMEI is sent to the OnePlus servers in plain HTTP and not HTTPS.Because of this, OnePlus 3 owners on an unsecured network (a coffee shop with public WiFi access point, for example), potentially expose their device’s specific IMEI number to would-be evil doers.