Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?
Four unpatched bugs remain after nine found
Nine security holes, four of them still unpatched, have been found in the Osram smart light bulb system, potentially giving attackers access to a home or corporate network.
The issues in the Lightify Home and Pro systems range from cross-site scripting (XSS) to problems with the ZigBee and SSL protocols to insecure encryption key handling. They were discovered by security company Rapid7.
Some of the programming bugs are pretty amateurish, raising the larger question of what kind of security review the products go through before being put on the market. Lightify devices connect wireless to a gateway box via ZigBee, and the gateway connects to the home Wi-Fi network. The gateway is controlled from an iOS or Android app.
As a result of the holes, attackers can do everything from turning off the lights and taking control of the management interface – an annoyance but not dangerous – to gaining access to the network by pulling the network password out of a device, the first step in what could be a significant compromise.
It was discovered that the Lightify iPad app stores your network Wi-Fi password in plain text (CVE-2016-5051) right next to its SSID, providing an open invitation to your network if your tablet is seized or nobbled in some way. The company has put out a patch that prevents the information from being stored unencrypted.
Then there are two still-unpatched holes (CVE-2016-5052 and CVE-2016-5057), due to the fact that the company does not use SSL pinning and so it is possible for someone to launch a man-in-the-middle attack to crack SSL-encrypted traffic running to and from the control app.
Osram says it is working on a patch to introduce SSL pinning – which basically consists of checking for a specific SSL certificate when a connection is established. It's become a pretty common approach, which also raises questions over Osram's security standards.
The other holes are equally or more concerning.
What bad security looks like (Rapid7's graphics)
The other big, unpatched hole (in both the Home and Pro systems – CVE-2016-5054 and CVE-2016-5058) stems from the fact that the system does not refresh the keys it uses to pair devices to the system through the ZigBee protocol. As such, all past commands can be grabbed and replayed without the need for authentication. Osram says it is working on an update that will introduce routine rekeying.
And if all that weren't bad enough, the system uses weak default pre-shared keys (PSKs), one being "0123456789abcdef", which means that it would only take a decent hacker a few hours to break into the system. A patch will use longer and more complex PSKs.
In short, the whole exercise highlights what many people have been warning and worrying about for some time: that smart-home and IoT manufacturers are not doing a sufficient job on security and so opening up consumers and businesses to serious security risks.
As we have seen with baby monitors, smart watches, cameras, bathroom scales, and now light bulbs, this new consumer-friendly technology represents a significant risk and companies need to up their game and take security much more seriously than they currently do. ®