Internet-connected light bulbs manufactured by Osram Lightify have been found to be vulnerable to cyber attacks.

Deral Heiland, a researcher at security firm Rapid7 identified nine vulnerabilities in the Home or Pro versions of Osram which could allow attackers to gain access to home wi-fi network and operate the lights.

Rapid7 said in a blog: “Examination of the network services on the gateway shows that port 4000/TCP is used for local control when Internet services are down, and no authentication is required to pass commands to this TCP port.

“With this access, an unauthenticated actor can execute commands to change lighting, and also execute commands to reconfigure the devices.”

Heiland has already informed Osram of the flaws.

He said that a simple software update to be released in August to resolve the issues.

Osram was quoted by the BBC as saying: "Since being notified about the vulnerabilities identified by Rapid7, Osram has taken actions to analyse, validate and implement a risk-based remediation strategy.”

The security firm said the installed web management console is susceptible to a persistent Cross Site Scripting (XSS) vulnerability.This flaw would enable the attacker to inject persistent JavaScript and HTML code into various fields within the web management interface.

The security firm said that the injected code will execute within the context of the authenticated user.

As a result, a hacker would be able to inject code which could modify the system configuration, exfiltrate or alter stored data.

The attacker can also take control of the product in order to launch browser-based attacks against the authenticated user's workstation.

The firm said that a patch supplied by the vendor should filter all data.

It said that users should not deploy the web management console in a network environment used by potential attackers, without a vendor-supplied patch.

University College London cybersecurity expert Professor Angela Sasse said: “This is not just about being able to manipulate the light bulbs.

“The vulnerabilities here could give somebody access to control the network itself and that’s a very serious issue. In this day and age, you would regard that as an unacceptable security flaw. It’s a well known thing that you don’t store passwords like that — it’s really elementary.”
 

OSRAM responded with the following statement:

"OSRAM agreed to security testing on existing LIGHTIFY products by Security researchers from Rapid7. Since being notified about the vulnerabilities identified by Rapid7, OSRAM has taken actions to analyze, validate and implement a risk-based remediation strategy, and the majority of vulnerabilities will be patched in the next version update, currently planned for release in August.

 Rapid7 security researchers also highlighted certain vulnerabilities within the ZigBee® protocol, which are unfortunately not in OSRAM’s area of influence. OSRAM is in ongoing coordination with the ZigBee® Alliance in relation to known and newly discovered vulnerabilities."