Security flaw in Osram’s iPhone-controlled Lightify bulbs could allow unauthorized network access

Osram-lightify

Osram’s Lightify brand of connected, iPhone-controlled lightbulbs is reportedly subject to security flaws that could allow unwanted access to your home network, according to a report from security researchers Rapid7 (via ZDnet).

Author Ad Placeholder
Will only appear on redesign env.

The security firm said in an advisory that one of the worst flaws could allow an attacker to “take control of a product” in order to launch attacks against a browser by allowing the injection of persistent JavaScript and web-based HTML code into the web management interface… Another severe weakness in the smart home device allows an attacker to identify the wireless network’s password. The devices use short, eight-character codes, which can be easily cracked within a matter of minutes or hours.

Osram sells its own system as a starter kit with A19 bulbs and a Wi-Fi hub to allow control from companion smartphone apps, but its bulbs are also compatible with other connected lighting systems including Philips Hue and compatible products using the ZigBee protocol.

The report from Rapid7 claimed that Osram plans to update most of the security vulnerabilities in an upcoming update.

Update July 27: Osram sent over the following statement on the issue:

OSRAM agreed to security testing on existing LIGHTIFY products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August.

Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s Logic Pros series.