Smart Light Bulb Security Flaw Could Let Hackers Run Riot

By Gerald Lynch on at

Though we in tech-savvy circles have been talking about the Internet of Things for years now, connected device ecosystems are still a relatively young area, with security standards not universally acknowledged or even set. The Osram Lightify Smart Light Bulb system (seen as an affordable alternative to Philips Hue) is one such range that could potentially fall foul of a hack attack – it's been singled out as being particularly vulnerable to hackers.

Security researchers at Rapid7 (speaking to ZDNet) found flaws in Osram's connected system that could give hackers control. And it's potentially far worse than hackers simply annoyingly turning your mood lighting into a strobe-flashing rave. If fully exploited, an attack could give a person access to an entire home or office network, allowing them to launch a browser-based attack, with an injection JavaScript and web-based HTML code into a web management interface. This could easily lead to the harvesting of passwords from services not even related to Osram's products.

In addition, the smart bulbs' relatively short eight-character passwords could also be cracked quite easily, giving another avenue for hackers to explore. The associated iPad app even goes as far as storing passwords in plain text, right next to the SSID.

Nine flaws in total have been identified, and though Osram claimed it was to be patching out all but two lesser problems, four remain according to The Register.  For anyone using the Osram smart bulbs, it might be wise to dig out the candles instead.[Rapid7]