Security researchers at Rapid7 have identified a number of vulnerabilities in Sylvania Osram Lightify smart home products.
Lightify products provide indoor and outdoor lighting that can be controlled and automated via the web browser or an app on a mobile device.
Vulnerabilities were found across multiple elements of the Lightify ecosystem, including:
- the mobile app
- web management console
- the implementation of SSL encryption
- implementation of the ZigBee home automation communication protocol
- implementation of WPA2 security protocol authentication
The vulnerabilities leave the user open to several threats ranging from exposing the home Wi-Fi credentials to allowing the attackers to manipulate Lightify devices and launch web-based attacks against the user.
Osram has already patched several of these vulnerabilities, and users are advised to update their product software.