A wi-fi lighting system developed by Osram, has been exposed as potentially vulnerable to hackers, leaving private networks prone to attack.
Researchers at Rapid7, the internet security firm, discovered vulnerability issues with the Home and Pro versions of Osram Lightify, in tests commissioned by Osram to probe potential security problems.
The flaws found could allow hackers to turn out the lights in a building and access corporate office and retail networks. The team at Rapid7 managed to hack into the Lightify system in just three hours.
Once they were made aware of the flaws, Osram responded by quickly moving to patch the vulnerabilities.
‘We have taken actions to analyse, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August,’ Osram spokesman, Torsten Wolf, told Lux Magazine.
‘Osram was aware that there could be issues found as no technology is perfect,’ Wolf added.
The Pro edition was found by Rapid7 to be open to continuous cross site scripting, which enables hackers to bypass security systems and inject malicious code.
The injection of malicious code would allow an unauthorised user to modify private data, alter system configurations and launch attacks.
‘Osram was aware that there could be issues found as no technology is perfect.’ Torsten Wolf – Osram
Flaws found in the Home edition were not discovered to be as bad as the flaws found in the Pro version, but if exploited the issues with the Home product would allow hackers to change lighting levels and execute commands to reconfigure devices and fixtures.
‘While the Home edition flaw was not as serious as the problems found in the Pro version, we thought it was important to point these flaws out so they don’t migrate to the Pro edition,’ Deral Heiland, the lead researcher on the Rapid7 investigation, commented.
Heiland believes that the results will give the Internet of Things industry considerable pause for thought, as they continue to develop new products.
Some of the vulnerabilities were discovered in software that Osram had not developed. The researchers highlighted problems within the ZigBee protocol and the two companies, Osram and ZigBee, are now coordinating to rectify the issues.
The full statement from Osram reads as follows:
‘Osram agreed to security testing on existing Lightify products by security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, Osram has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August.
Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in Osram’s area of influence. Osram is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.’