A host of web-based vulnerabilities in Orsam Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC.
Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available.
Orsam Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices.
Researchers Deral Highland, principal security consultant at Rapid7, said that a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours.