Vulnerability in Philips Lighting Devices Stores Wi-Fi Credentials in Plain Text
CVE-2024-9991

Currently unrated

Key Information:

Vendor: Philips Lighting (signify Innovations India)
Status: Philips Smart Wi-fi Led Batten 24-watt; Philips Smart Wi-fi Led T Beamer 20-watt; Philips Smart Bulb 9,10,12-watt; Philips Smart T-bulb 10,12-watt
Vendor: CVE Published:; 25 October 2024

Summary

This vulnerability affects Philips lighting devices, stemming from the insecure storage of Wi-Fi credentials in plain text within their firmware. An attacker possessing physical access to the devices can exploit this vulnerability by extracting the firmware and analyzing the associated binary data. Through this method, the attacker can retrieve the plaintext Wi-Fi credentials, potentially allowing unauthorized access to the Wi-Fi network connected to the compromised device. This poses significant risks, especially in environments where secure network access is crucial.

Affected Version(s)

Philips Smart Bulb 9,10,12-Watt <1.33.1

Philips Smart T-Bulb 10,12-Watt <1.33.1

Philips Smart Wi-Fi LED Batten 24-Watt <1.33.1

References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOT...

third-party-advisory

Timeline

Vulnerability published
Oct 25, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

This vulnerability is reported by Shravan Singh, Amey Chavekar. Vishal Giri and Dr. Faruk Kazi from CoE- CNDS Lab, VJTI Mumbai, India