Researchers at Rapid7 detected nine vulnerabilities in the Osram LIGHTIFY line of smart lighting that, if exploited, could have enabled attackers to gain network configuration data, allowed cross-site scripting (XSS) on the web management console and allowed operational command execution on the devices themselves without authentication.
Most of the flaws have been patched in the Osram Lightify line, an Internet of Things offering of indoor and outdoor lighting products managed remotely via the web or a mobile app.
One flaw might have enabled attackers to extract data, stored in cleartext, from Wi-Fi WPA pre-shared key (PSK) of the user’s home Wi-Fi.
Another flaw found was that SSL pinning is not in use, which could enable an attacker to perform a man-in-the-middle (MitM) attack, which would then expose SSL-encrypted traffic.
Since port 4000/TCP is used for local control when internet services are down, and no authentication is required to pass commands to this TCP port, a bad actor could execute commands to change lighting, as well as execute commands to reconfigure the devices.
The installed web management console, which runs on ports 80/TCP and 443/TCP, also is vulnerable to a persistent cross-site scripting (XSS) vulnerability.
Rapid7 stated that Osram has patched most of the disclosed bugs and will be issuing a further update in August.