Like a setting out of a horror movie, a recent discovery of potential security flaws in Osram’s Lightify smart light bulbs may give hackers the ability to remotely operate a user’s lights, and even control their network, without asking for approval. Perhaps even more critical, the vulnerabilities — of which nine were found by a security researcher at Rapid7 — could also give unwanted visitors access to a home’s Wi-Fi network. Deral Heiland, the researcher who happened upon the cracks in Osram’s armor, has reportedly informed the manufacturer of the flaws, and has stated that a simple software update coming out in August should fix the problem.
Of the nine vulnerabilities found by Heiland, the one likely responsible for the bulk of the problem lies with the smart bulb’s companion application, which stores unencrypted copies of an owner’s Wi-Fi password. Because of this, hackers could easily obtain this information via the app, which would grant them access to anything connected to the Wi-Fi network. In other words, this is bad.
“This is not just about being able to manipulate the light bulbs,” said University College London cybersecurity expert, Professor Angela Sasse. “The vulnerabilities here could give somebody access to control the network itself and that’s a very serious issue. In this day and age, you would regard that as an unacceptable security flaw. It’s a well known thing that you don’t store passwords like that — it’s really elementary.”
Currently, the company says it continues to analyze potential issues with its products and that most of the flaws will likely be resolved come August. For the remaining risks — which reportedly surround the companion ZigBee Hub — the company says it’s working to find a way to develop yet another patch, though it’s uncertain what the patch would actually target.
As smart home technology continues to grow, one of the most important aspects consumers look for is a device’s built-in security. Unfortunately for Osram, until it fixes its issue of unencrypted Wi-Fi passwords, it’s likely few people will be knocking down its door to install a Lightify system.
- Google found another critical security flaw in Microsoft Edge
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities
- Apple iOS 11.2.2 update offers a fix to the Spectre security vulnerability
- LightCam is a smart light bulb that is also a security camera
- CPU and OS makers go on red alert over Meltdown and Spectre vulnerabilities