Smart lighting system flaws exposed private networks to hackers
Tue 26 Jul 2016
Security researchers have uncovered a series of vulnerabilities in a range of smart lighting systems, which could allow attackers to manipulate lights and hack into private networks.
The team at Rapid7 discovered the flaws in the Home and Pro versions of Sylvania Osram Lightify products. The experts explained in a blog post that the vulnerabilities could permit hackers to access corporate networks in office and retail settings.
According to research lead Deral Heiland, Sylvania responded immediately by patching the uncovered vulnerabilities. He suggested that the most dangerous of flaws were located in the Pro Edition of the Osram Lightify, which is marketed to businesses, operating in office and store environments.
The scientists discovered that the lighting systems’ installed management console, which runs on ports 80 and 443, was open to a continuous cross site scripting (XSS) vulnerability that could facilitate the injection of malicious code into the management interface.
Third party code could be executed as if it were a command from an authenticated user, which would allow the hacker to alter system configurations, access and modify data, and override the system to launch attacks.
In one test, Heiland was able to remotely hack a corporate network through an XSS attack via a flaw in the Wireless Client Mode configuration page – ‘This was accomplished using a rogue access point to broadcast an SSID containing the XSS payload.’
‘What’s dangerous is that it’s possible to reconfigure the device and then interact with the enterprise corporate network. In fact, the probability of using this to carry out further attacks and exploits against the device and the authenticated user to the device to exploit the network (remotely) is most likely,’ said Heiland.
While the flaws found in the Home product series were found to be less serious than those in the Pro versions, Heiland noted that the findings would provide important insight for IoT companies as they seek to mitigate security risks.