Data Breach Risk: Update Your Philips Smart Lights and Matrix Door Controller Firmware Immediately

India’s CERT-In has issued two alerts concerning critical vulnerabilities in popular smart devices—specifically, Philips Smart Lighting products and the Matrix Door Controller access control system. These vulnerabilities could enable unauthorized access to sensitive information and pose a risk of data breaches.

The first vulnerability, CIVN-2024-0329 (CVE-2024-9991), with a CVSS score of 7.0, affects several models of Philips smart lighting devices, including the Smart Wi-Fi LED Batten 24W, LED T Beamer 20W, and various models of smart bulbs and T-Bulbs with wattages of 9, 10, and 12W.

This issue impacts devices running firmware versions below 1.33.1, where Wi-Fi network data is stored in plain text. An attacker with physical access to the device could extract the firmware and analyze the data to gain access to the Wi-Fi network, thereby jeopardizing all connected devices as well as users’ personal data. Owners of these devices are advised to update their firmware to version 1.33.1 or higher to safeguard against potential breaches.

The second vulnerability, CIVN-2024-0328 (CVE-2024-10381), with a severity score of 9.3, was identified in the Matrix Door Controller Cosec Vega FAXQ access control system. This flaw affects all devices running firmware versions prior to V2R17 and stems from a session management vulnerability within the device’s web management interface. It allows a remote attacker to send specially crafted HTTP requests that could grant unauthorized access to the system, giving full control over the device.

Exploitation of this vulnerability threatens the confidentiality, integrity, and availability of the system’s data. Although no public instances of this vulnerability being exploited have been reported online, users are strongly advised to take precautionary measures.

To protect against these vulnerabilities, CERT-In recommends several steps to minimize risks and safeguard systems from potential attacks, including:

• Strengthening authentication mechanisms for the web management interface.
• Restricting access to Matrix Door Controller devices through effective network segmentation.
• Conducting regular monitoring and logging of device access to detect unauthorized activities.
• Installing all updates and patches provided by the manufacturer.
• Utilizing a Web Application Firewall (WAF) to shield against malicious HTTP requests.

Users of Philips smart lighting are urged to update their devices to firmware version 1.33.1, and Matrix Door Controller owners should upgrade to firmware version V2R17. Following these actions, along with adherence to the recommended security measures, will help mitigate risks associated with these vulnerabilities and enhance the overall cyber resilience of the system.