If you think those smart light bulbs installed in your homes are just carrying out the task of lighting, then you might not be all correct. Those bulbs may just be giving access to your home network’s security, creating cracks that hackers can slip through to press attacks.
Security researchers at Rapid7 have found flaws in Osram’s Lightify light bulbs that could give attackers access to a home wi-fi network, and potentially operate the lights without permission. Rapid 7 has discovered nine vulnerabilities in the Home and Pro range and reported them to the manufacturer.
“Nine issues affecting the Home or Pro versions of Osram Lightify were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication,” security firm Rapid7 said in vulnerability report posted earlier this month.
Osram’s Lightify range features internet-connected light bulbs that can be controlled using a smartphone app. In the vulnerabilities found, hackers could exploit the flaws to identify your network’s password, steal or change your PC’s data, launch browser-based attacks against you, or even seize control of your lights. In addition, the smart bulbs’ relatively short eight-character passwords could also be cracked quite easily, giving another possibility for hackers to explore.
On the brighter side, Osram plans to patch the majority of the flaws in an August update. In a statement, Osram said: “Since being notified about the vulnerabilities identified by Rapid7, Osram has taken actions to analyse, validate and implement a risk-based remediation strategy.”
Osram said that it is in ongoing coordination with the ZigBee Alliance in relation to known and newly discovered vulnerabilities.