Osram Smart Light Bugs Affect Wi-Fi Security


A hack of your computer is bad enough, but how about your lights?

Security researchers at Rapid7 discovered several vulnerabilities in the Osram Sylvania Lightify products. One of the more concerning bugs would have allowed an attacker who stole a device with access to the app to see a home network's Wi-Fi pre-shared key in plain text. In addition, Rapid7 discovered that attackers could conduct man-in-the-middle attacks and expose a person's traffic to the hacker. Rapid7 even found issues that could allow hackers to change lighting and reconfigure a lighting setup.

On the Pro side, hackers could see a password in clear text without any trouble.

"Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the Web management console, to operational command execution on the devices themselves without authentication," the security firm said in a statement.

Based on the timeline provided by Rapid7, the company contacted Osram on May 16, which ultimately patched the majority of the nine issues. However, as of this writing, two remain vulnerable: the lack of SSL pinning and the issues related to ZigBee rekeying.

Osram did not immediately respond to a request for comment.

Osram Lightify provides indoor and outdoor lighting products that can be controlled via a mobile app. Similar to the Phillips Hue series, the technology is designed for users to set moods, brightness, and other lighting controls from their apps. In this case, Home and Pro versions were affected.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Netflix Adds Offline Viewing

    The latest app update includes a download button on the details page of a movie or TV series.Visit the "Available for Download" option in the left-hand menu, or just take your chances looking for available content.
  • 5300c769af79e

    Biz Stone Tries Again With Jelly Q&A Start-Up

    Introduced in early 2014, the original app let people ask questions of Facebook and Twitter friends.But people weren't ready for Stone's Jelly, and the program fizzled out.
  • 5300c769af79e

    This Icon Pack is Hot: Simpax

    Here is an icon pack that is not only incredibly hot, it’s also different than anything you have probably used to date.It’s called Simpax, and I highly recommend this as your next home screen customization.
  • 5300c769af79e

    Amazon's Big Day: All for Prime, Prime for All

    The day is designed to goose subscriptions to its US$99-a-year Amazon Prime membership program, which offers free two-day shipping, free music and video content, and special discounts for millions of top customers.Competitors including Walmart, Best Buy, Target and others have responded to Prime Day with their own special discounts and promotions to stem the tide of customers flowing to Amazon.