A host of web-based vulnerabilities in Osram Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC.
Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available.
Osram Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices.
Osram, on Wednesday, emailed a statement to Threatpost:
“OSRAM agreed to security testing on existing LIGHTIFY products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August. Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.”
Researchers Deral Heiland, principal security consultant at Rapid7, said that a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours.
“If the Pro device is connected to internal ethernet or internal Wi-Fi, and is still using the default PSK, a malicious actor could force any Wi-Fi connected system to de-authorize and then re-authorize,”Heiland said. “This would allow an attacker to capture the authentication handshake, which can then be cracked offline in a short period of time – 6 hours or less. As a result, a malicious user could authenticate to the Pro device and pivot into a enterprises internal network.”
Rapid7 said it was able to crack some keys in fewer than three hours, and recommends Osram patch implement longer PSKs based on a larger keyspace; users should set their own PSKs and not rely on defaults, Rapid7 said.
Heiland said that in addition to the PSK issue, the devices’ default SSIDs can also be used to identify the system.
“If attached to the same network, both the Home or Pro version can be identified via network scans,” he said. “The systems can be fingerprinted based off of the open ports and or the exposed web services.”
Highland said exploitation of this issue would be trivial for an attacker and can be done so remotely, adding urgency to the situation.
“The malicious actor could then use the cracked PSK to gain remote access into the internal network via the Lightify Pro device,”Heiland said. “This could be accomplished from the organization’s parking lot.”
The Pro and Home solutions are also plagued by a lack of SSL pinning in the mobile application exposing users to man-in-the-middle attacks, and a persistent cross-site scripting vulnerability in the web management console.
Heiland said a cross-site scripting attack could be done using a rogue Wi-Fi access point broadcasting an SSID containing JavaScript. Should a device admin view this during the Lightify Pro setup, it could trigger a cross-site request forgery attack and allow an attacker to either reconfigure the device to allow remote access or attack the admin’s host systems to take remote control.
“The cross-site scripting ones are easy to exploit but risk is reduced because typical embedded device web services are often not utilized on a day to day basis,”Heiland said. “The biggest risk would be during the deployment phase of the Pro system within an enterprise environment. During this phase the attack vector has the greatest probability of success, but this also makes this attack vector difficult because the malicious actor would need to know that the solutions is being deployed.”
The Pro solution is also vulnerable to a ZigBee Network command replay vulnerability, which also affects the home version. An attacker, Heiland said, could trivially exploit the ZigBee flaw with the right equipment, and could keep the lights off inside an office building, for example, but would need to be in close proximity to do so.
“Examination of the ZigBee home automation communication reveals that no rekeying of the Zigbee secure communication takes place after the initial pairing of the ZigBee-enabled end nodes (the light components of the system),” Rapid7 said in its advisory. “Due to this lack of routine rekeying, it is possible for a malicious actor to capture and replay the Zigbee communication at any time, and replay those commands to disrupt lighting services without any other form of authentication.”
The Pro version also has an issue where the app was caching screenshots of pages when the iPad home button was selected in a particular folder and could leak plaintext passwords and other sensitive information.
The remaining vulnerabilities affect the home solutions and include the use of a cleartext WPA2 pre-shared key, the lack of SSL Pinning, a pre-authentication command execution flaw, and the ZigBee network command replay flaw.
This article was updated July 28 with comments from Osram.