back to article Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?

Nine security holes, four of them still unpatched, have been found in the Osram smart light bulb system, potentially giving attackers access to a home or corporate network. The issues in the Lightify Home and Pro systems range from cross-site scripting (XSS) to problems with the ZigBee and SSL protocols to insecure encryption …

  1. ecofeco Silver badge

    Smart lights?

    More like dim bulbs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Smart lights?

      bought by

      'Dim wits'.

      How long before they put a microphone into every bulb?

      Oh, that's so that you can tell the light to switch off or it will switch on when it hears the sound of you coming into the room.

      With all these security holes, it does not take someone with a brain as large as Enisteins to realise that this could be used to spy on you. not only the spooks but the ad-slingers and retailers.

      "We noticed that you were talking about 'X'. We think that you would like 'Y' instead. Just say 'Buy it Now' and it will be delivered in less than 30 minutes by our drone fleet that is working in your street at the moment"

      Do not want. Will never buy. I'd like to give the person who thought that this IoT thing was a good idea a good seeing too.

      We'll probably have to return to Tilley Lamps and Candles just to get away from the snooping in the not too distant future.

      1. Anonymous Coward
        Anonymous Coward

        Re: Smart lights?

        "How long before they put a microphone into every bulb?"

        Already being done. Saw a programme on tele where airports have mic's in the bulbs. That was about a year ago....

  2. Anonymous Coward
    Anonymous Coward

    Why is it

    that almost every day, some stupid fucking pointless IoT device ends up on the front pages of this and similar Tech news sites for the only reason that it has been discovered it has flaws in its security, potentially opening your *entire* network to miscreants.

    Its a sodding bulb, it has TWO, read em, TWO functions. On and Off, nothing more. I mean Osram, you had one job and you singularly failed to make it do that without all sorts of other unwanted pointless "features". If you count "Opening your network to attack" as a feature.

    Cookers that you can turn on remotely, WHY? Cookers have had that facility for decades, called a timer. I mean you have to put the bloody meat in the oven in the first place so you then set the timer.

    IoT is yet another solution looking for a problem but managing to cause more problems than it will ever solve..

    1. Pascal Monett Silver badge
      Thumb Up

      I wish I could upvote that a hundred times.

      1. Fatman Silver badge

        RE: I wish I could upvote that a hundred times.

        I gave it one vote on your behalf.

    2. Anonymous Coward
      Stop

      Re: Why is it

      Not only that, but you know that E27 bulb that would fit any E27 socket...not these days.

      https://www.theguardian.com/technology/2016/jan/11/philips-hue-led-bulbs-proprietary-charles-arthur

    3. Mike 125

      Re: Why is it

      >>it has TWO, read em, TWO functions. On and Off,

      For a bit of romance, it's sometimes useful to set something in-between...

      The anger can be focussed far more widely than IoT. I don't want to go all hippy, but since consumer culture began, we've been buying crap we don't need. This is just one more insane example.

      Also, security is not done well on PCs. So why would we expect it to be done well on IoT, which has huge platform constraints?

      This whole thing was inevitable, like the next financial crash.

      /> Hippy mode off.

      1. Andrew Commons
        Black Helicopters

        Re: Why is it

        "Also, security is not done well on PCs"

        No.. should read "security is not done well".

        Our (well some people's) unthinking desire to embrace new and shiny far outstrips our ability to understand and secure it.

        This includes collateral damage as well as direct consequences.

      2. Mark 85 Silver badge

        @Mike 126 -- Re: Why is it

        For a bit of romance, it's sometimes useful to set something in-between...

        For that, there's dimmer switches. Generally they cost less to buy and install than a couple of "smart bulbs". Been around for years and work very well and are totally secure from those outside of the house.

        Valid points on the rest of your post.

        1. Gerhard Mack

          Re: @Mike 126 -- Why is it

          This is not something that has obvious advantages until you try it. My friend loaned me a couple Phillips Hue bulbs and and aside from using a lot less power than dimmer switches, they are the best alarm clock I've ever owned.

          I have them set to fade in the lights with an artificial sunrise (I get up about an hour before sunrise in the winter) and it is a lot less jarring than an audio alarm.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why is it

      "IoT is yet another solution looking for a problem"

      Oh, it's the solution to an existing problem alright. That existing problem being "how can we make even more money by flogging tat to novelty-addicted, boys-toys-buying idiot consumers?"

      This is why I'm not excited by (e.g.) improvements in display technology any more. Sure, it looks nice, but at the end of the day its purpose will simply be to provide an excuse for the same aforementioned boys-toys owners to replace their 18-month old smartphone with a newer one to impress their tedious friends with. At least, until they get bored of it after a month and start thinking of their next smartphone upgrade.

    5. Sir Runcible Spoon Silver badge
      Headmaster

      Re: Why is it

      "it has TWO, read em, TWO functions"

      I don't wish to dilute your overall message (it was not I that downvoted!) but a lightbulb has a SINGLE function, with TWO primary* modes of operation, 'on' and 'off'. :)

      *Other modes are available on suitably engineered products combined with the correct control device. E.g. adjustable brightness setting ;)

  3. Pascal Monett Silver badge

    "what kind of security review the products go through"

    That's easy :

    "Did you put in all that security stuff ?"

    "Yup."

    "Okay, ship it then."

    As far as security is concerned, IoT makers are still in the process of finding out which book to read.

    There is no IoT security standard, there is no International IoT Security Review Board, there is no joint effort, no announcement of intent, no nothing.

    At this point in time, security has nothing to do with IoT and IoT wishes nothing more than things stay that way.

    1. Anonymous Coward
      Anonymous Coward

      Re: "what kind of security review the products go through"

      "what kind of security review the products go through"

      That's easy :

      "Did you put in all that security stuff ?"

      "nope."

      "Okay, ship it then."

      TFTFY

    2. Dan 55 Silver badge

      Re: "what kind of security review the products go through"

      There needs to be something like MISRA for IoT and it needs to be now.

      Not that that would stop cheap Chinese imports, but look, hey, here's a reason to buy our expensive Internet-of-Tat lightbulb... it won't look through network drives or proxy your entire LAN traffic to the dark web if someone sneezes at it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "what kind of security review the products go through"

        MISRA's a marvellous concept on paper, but never mind cheap Chinese imports, does anyone at all outside MISRA pay any attention to MISRA *in their shipping products*? I know lots some big names send people along to participate in MISRA activities, I also know some of them aren't listened to when they get back to their day jobs, because the MISRA messages are incompatible with company strategy (ie because doing things right is believed to have an unacceptable impact on short term costs and timescales).

    3. Version 1.0 Silver badge

      Re: "what kind of security review the products go through"

      Q. "Does it turn on?"

      A. Yes

      Q "Does it turn off?"

      A. It seems to

      Q. "Have you checked ... oh wait, there's a squirrel"

      1. Sir Runcible Spoon Silver badge
        Coat

        Re: "what kind of security review the products go through"

        "Q. "Have you checked ... oh wait, there's a squirrel"

        Oy, that's ADHD'ism that is!

        Sounds like you need an upgrade Mr. v1.0

        1. Version 1.0 Silver badge

          Re: "what kind of security review the products go through"

          Nice one!

    4. Doctor Syntax Silver badge

      Re: "what kind of security review the products go through"

      OK, I've said this before but it's worth saying again.

      Security requirements should be built into UL testing. Add FCC declaration of conformity and CE.

      I'm not sure about FCC declarations but CE is a matter of self-certification so it might need a few prosecutions for false marking before that would fully hit home but the principle would be established: if you want to get it to market, build in security from the first design stage onwards.

  4. Charlie Clark Silver badge
    Headmaster

    isn't anything code audited anymore?

    Surely that's just a rhetorical question. Was code ever audited?

    Time to market is everything in this business. The gets developed by people on work experience using whatever examples they can find and gets shipped as soon as the prototype works.

    1. Anonymous Coward
      Anonymous Coward

      Re: isn't anything code audited anymore?

      You've just described my job.

      (AC, because.)

  5. Scott Broukell
    Meh

    IoT

    Insecurity

    of

    Things

    1. Anonymous Coward
      Anonymous Coward

      Re: IoT

      Interweb

      of

      Tat

    2. Version 1.0 Silver badge

      Re: IoT

      Internet of Thieves

      1. Sir Runcible Spoon Silver badge

        Re: IoT

        IoT = Incapable of Thought

  6. Chris G Silver badge

    Security niche

    If I were looking for somewhere to start a new business in IT, IoT security would be a good niche market.

    Although owing to the crass ineptitude of most of the makers of 'Smart Things' , rather than a niche it's a missing wall.

  7. calmeilles

    All your bulb are belong to us.

  8. Nigel 11

    What I'd hope ...

    I'd hope that someone is working on a seriously low-bandwidth protocol for commanding functions that are not safety critical, like on and off or up and down for light-bulbs, over the mains wiring of a house. It would emphatically not be any form of "homeplug" Ethernet, both for security reasons and for power-consumption reasons. Cars have already explored this route (CANbus). There are automotive security issues (and they ARE safety critical) but AFAIK these all revolve around the master controller, not the bus interfaces on the light-bulbs.

    Then, there would be a standard for competing gateway / control hubs, which might be linked to a LAN and which might occasionally be secure.

    It might even happen some time in the 2020s!

    1. Doctor Syntax Silver badge

      Re: What I'd hope ...

      "I'd hope that someone is working on a seriously low-bandwidth protocol for commanding functions that are not safety critical, like on and off or up and down for light-bulbs, over the mains wiring of a house."

      I already have this at home. It requires simple devices, placed conveniently adjacent to the doors of each room although there are exceptions where the devices are located on the ceiling and operated by a length of cord. The devices have a simple toggle action.

  9. HellDeskJockey

    There is a security cost to IOT

    There is no such thing as a completely secure system. Add to that many IOT devices are difficult if not impossible to upgrade makes security issues inevitable. But you can do a few things to make things safer.

    Don't put the system on the Internet just because you can. My light controller is not on the internet you have to be on the local network to use it.

    Change the default user ID and password. admin, admin will not fool anyone.

    Keep your whole network upgraded. Two words, Weakest Link

    Monitor your system. Security is a continuing issue not a one time event.

    Look into security issues when upgrading your system. If you see security issues ask if the benefits outweigh the risks.

  10. J.G.Harston Silver badge

    Well, as long as they're mandated to be Edison Screw, that's ok, they won't fit in the One True Proper light socket.

  11. JamesMcP

    The Osram rep is lying when they say that flaws in zigbee protocols are "unfortunately not in Osram's area of influence."

    Aside from the fact that zigbee can be heavily modified by Osram, way back in 2007 the DoE published a paper descibing how to secure a Zigbee network from replay attacks.

    (links below)

    They could have used the secure zigbee settings but just like their wifi management, they screwed it up.

    (link

    http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Securing_ZigBee_Wireless_Networks.pdf)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019