Osram’s Lightify brand of connected, iPhone-controlled lightbulbs is reportedly subject to security flaws that could allow unwanted access to your home network, according to a report from security researchers Rapid7 (via ZDnet).

The best 4K & 5K displays for Mac

The security firm said in an advisory that one of the worst flaws could allow an attacker to “take control of a product” in order to launch attacks against a browser by allowing the injection of persistent JavaScript and web-based HTML code into the web management interface… Another severe weakness in the smart home device allows an attacker to identify the wireless network’s password. The devices use short, eight-character codes, which can be easily cracked within a matter of minutes or hours.

Osram sells its own system as a starter kit with A19 bulbs and a Wi-Fi hub to allow control from companion smartphone apps, but its bulbs are also compatible with other connected lighting systems including Philips Hue and compatible products using the ZigBee protocol.

The report from Rapid7 claimed that Osram plans to update most of the security vulnerabilities in an upcoming update.

Update July 27: Osram sent over the following statement on the issue:

OSRAM agreed to security testing on existing LIGHTIFY products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August.

Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities.

About the Author