This week new security research on the Internet of Things lightbulbs shows the need for mobile app security testing for the apps that will control the homes and offices of the future.
Security researchers from Rapid 7 looked at Osram’s range of Lightify IoT products, this includes internet connected lightbulbs and the Lightify app companion app.
Of the 9 vulnerabilities that researchers discovered during mobile app security testing of the Lightify app the most problematic was the local storage of the user’s wi-fi password with no encryption. This would give an attackers access and control to the user’s wi-fi network and any other devices on the network.
This vulnerability is embarrassing for whoever is responsible and shows a failure to do any kind of rigorous mobile app security testing that accounts for standards such as the OWASP Mobile Top 10. Other problems included weak security for the lightbulb controls that would let an attacker turn them on or off as well as a scenario for client side Javascript injection
Osram responded by stating that it will look at their process for risk mitigation.
This research questions the process that IoT companies are using to validate and maintain the security of the software that acts as a bridge, most likely a mobile app, between the user and the IoT devices. The neglect for mobile app security testing in this instance would cause a lot more problems if these lightbulbs were being used in a corporate environment. This is just the latest in a series of notable security issues for IoT products including cars, smart fridges, and door locks.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.