View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Osram bulbs vulnerable to cyber attacks

The flaws could allow attackers to gain access to home wi-fi network- Update, Osram, responds

By CBR Staff Writer

Internet-connected light bulbs manufactured by Osram Lightify have been found to be vulnerable to cyber attacks.

Deral Heiland, a researcher at security firm Rapid7 identified nine vulnerabilities in the Home or Pro versions of Osram which could allow attackers to gain access to home wi-fi network and operate the lights.

Rapid7 said in a blog: “Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

“With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices.”

Heiland has already informed Osram of the flaws.

He said that a simple software update to be released in August to resolve the issues.

Osram was quoted by the BBC as saying: "Since being notified about the vulnerabilities identified by Rapid7, Osram has taken actions to analyse, validate and implement a risk-based remediation strategy.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The security firm said the installed web management console is susceptible to a persistent Cross Site Scripting (XSS) vulnerability.This flaw would enable the attacker to inject persistent JavaScript and HTML code into various fields within the web management interface.

The security firm said that the injected code will execute within the context of the authenticated user.

As a result, a hacker would be able to inject code which could modify the system configuration, exfiltrate or alter stored data.

The attacker can also take control of the product in order to launch browser-based attacks against the authenticated user's workstation.

The firm said that a patch supplied by the vendor should filter all data.

It said that users should not deploy the web management console in a network environment used by potential attackers, without a vendor-supplied patch.

University College London cybersecurity expert Professor Angela Sasse said: “This is not just about being able to manipulate the light bulbs.

“The vulnerabilities here could give somebody access to control the network itself and that’s a very serious issue. In this day and age, you would regard that as an unacceptable security flaw. It’s a well known thing that you don’t store passwords like that — it’s really elementary.”

OSRAM responded with the following statement:

"OSRAM agreed to security testing on existing LIGHTIFY products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August.

 Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.