Osram Smart Light Bugs Affect Wi-Fi Security


A hack of your computer is bad enough, but how about your lights?

Security researchers at Rapid7 discovered several vulnerabilities in the Osram Sylvania Lightify products. One of the more concerning bugs would have allowed an attacker who stole a device with access to the app to see a home network's Wi-Fi pre-shared key in plain text. In addition, Rapid7 discovered that attackers could conduct man-in-the-middle attacks and expose a person's traffic to the hacker. Rapid7 even found issues that could allow hackers to change lighting and reconfigure a lighting setup.

On the Pro side, hackers could see a password in clear text without any trouble.

"Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the Web management console, to operational command execution on the devices themselves without authentication," the security firm said in a statement.

Based on the timeline provided by Rapid7, the company contacted Osram on May 16, which ultimately patched the majority of the nine issues. However, as of this writing, two remain vulnerable: the lack of SSL pinning and the issues related to ZigBee rekeying.

Osram did not immediately respond to a request for comment.

Osram Lightify provides indoor and outdoor lighting products that can be controlled via a mobile app. Similar to the Phillips Hue series, the technology is designed for users to set moods, brightness, and other lighting controls from their apps. In this case, Home and Pro versions were affected.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Senate Falls Short on Expansion of FBI Surveillance Authority

    The amendment would have granted the FBI the power to obtain suspected terrorists' electronic records, including browser histories and email information, without a court order.The FBI is allowed under existing law to obtain phone and financial records of suspected terrorists without a warrant, but not electronic records.
  • 5300c769af79e

    Elder Sign: Omens (for iPhone)

    This is a bit unusual, but I don't hold it against Elder Sign.In Elder Sign: Omens, you and up to three other players play four investigators in a museum, working to stop an ancient, probably tentacle-laden menace from being unleashed on the world.
  • 5300c769af79e

    Video: Google Pixel Review

    Our written Google Pixel and Pixel XL review dropped last week, but we’ve had a number of you ask when the video review would be out.Does today work?
  • 5300c769af79e

    Don’t Miss These Android Stories: January 20, 2017

    If you’ve been too busy following all of the political stuff happening here in the US, it’s quite possible you missed a few awesome Android stories.But hey, that’s why we have weekly recaps!