Mumbai-based Shravan Singh is a cybersecurity researcher by profession. The 27-year-old had installed a Philips smart (internet-enabled) tube light at his home.
Singh's work generally involves checking whether digital devices and their software are safe in terms of cybersecurity. This led him to the idea of checking whether this Philips lighting device was following proper cyber hygiene.
"I thought I should get into the device and see if it was safe or not," Singh told Moneycontrol.
So, the 27-year-old started dismantling the device in his home and soon found that the ESP chipset that the tube light was installed with, was storing sensitive details in plain text.
"The chip set was storing my network (Wi-Fi) details in plain text. It was not encrypted. Anyone with physical access to the device, could have accessed my network details," said Singh.
This gains importance as users generally tend to discard smart lights whenever their shelf life ends or faces any other problem. And when it is discarded, users generally do not delete their information from the devices.
So, anyone with access to these devices, can very well exploit this vulnerability and gain access to sensitive information stored on the chipset.
"After this I wondered whether other lighting devices by Philips also had similar problems. So I ordered several models of smart lights off Amazon and started doing the same thing," Singh said.
This led him to find that several other devices also had the same vulnerability.
Singh, along with his former research colleagues at CoE - CNDS LAB of the VJTS University in Mumbai, namely Amey Chavekar, Vishal Giri and Dr Faruk Kazi discovered these vulnerabilities in Philips Smart Wi-Fi LED Batten 24-Watt, Philips Smart Wi-Fi LED T Beamer 20-Watt, Philips Smart Bulb, 9, 10, 12 - Watt and Philips Smart T-Bulb 10, 12 Watt.
However, after discovery of the vulnerability, Singh and his ex-colleagues further reverse-engineered the devices in question and found multiple other vulnerabilities.
Singh was told by Philips that they were assessing the impact of the other vulnerabilities that were reported.
Meanwhile, the company has released a solution for the Wi-Fi credential storing vulnerability and has credited Singh and Chavekar for securing their devices.
The researchers also informed the Indian Computer Emergency Response Team (CERT-In), in accordance with the laws and regulations when it comes to vulnerability disclosure.
The CERT-In has issued an advisory in this regard.
"This vulnerability exists in Philips lighting devices due to storage of Wi-Fi credentials in plain text within the device firmware... Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the Wi-Fi network to which vulnerable device is connected," the advisory issued on October 25 read.
The researchers also reached out to relevant authorities in the United States, however, Singh said that it was relayed to them that the vulnerability would not apply there, as Philips does not use the ESP chipset in devices that are sold there.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
