A hack of your computer is bad enough, but how about your lights?
Security researchers at Rapid7 discovered several vulnerabilities in the Osram Sylvania Lightify products. One of the more concerning bugs would have allowed an attacker who stole a device with access to the app to see a home network's Wi-Fi pre-shared key in plain text. In addition, Rapid7 discovered that attackers could conduct man-in-the-middle attacks and expose a person's traffic to the hacker. Rapid7 even found issues that could allow hackers to change lighting and reconfigure a lighting setup.
On the Pro side, hackers could see a password in clear text without any trouble.
"Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the Web management console, to operational command execution on the devices themselves without authentication," the security firm said in a statement.
Based on the timeline provided by Rapid7, the company contacted Osram on May 16, which ultimately patched the majority of the nine issues. However, as of this writing, two remain vulnerable: the lack of SSL pinning and the issues related to ZigBee rekeying.
Osram did not immediately respond to a request for comment.
Osram Lightify provides indoor and outdoor lighting products that can be controlled via a mobile app. Similar to the Phillips Hue series, the technology is designed for users to set moods, brightness, and other lighting controls from their apps. In this case, Home and Pro versions were affected.