Serious security flaws found in Osram smart bulbs

The smart home tech company reportedly won't patch all of the vulnerabilities.
Written by Zack Whittaker, Contributor
Image: CNET/CBS Interactive

Your home might be smart, but it might not be so secure.

Researchers have found that popular home lighting system Osram Lightify has a number of severe security flaws that could leave users vulnerable to attack.

Deral Heiland, principal security consultant at security firm Rapid7, explained in an email this week that the vulnerabilities can be used to attack home and enterprise networks, which if fully exploited could allow an attacker to pivot access into an internal network.

The security firm said in an advisory that one of the worst flaws could allow an attacker to "take control of a product" in order to launch attacks against a browser by allowing the injection of persistent JavaScript and web-based HTML code into the web management interface.

That could lead to browser-based attacks against a user.

Another severe weakness in the smart home device allows an attacker to identify the wireless network's password. The devices use short, eight-character codes, which can be easily cracked within a matter of minutes or hours.

Osram, a Germany-based company, remains a mid-level smart lighting player, behind Philips Hue and Belkin.

A spokesperson for Osram said in an email that the flaws will be patched in a release planned for August. But flaws that relate to ZigBee, the wireless protocol used in many smart home appliances, are "unfortunately not in Osram's area of influence."

It's not the first time a smart home tech company has fallen at the first security hurdle.

Smart home technology has seen an intense focus in recent months, given the explosion in the Internet of Things space. Manufacturers of these internet-connected devices have, however, faced criticism for putting functionality over security. Common flaws in smart home devices can allow hackers to collect data or conduct surveillance.

Heiland said Osram indicated that the next round of patches would fix all the flaws, with the exception of two lesser flaws.

Editorial standards