Context Security hacked into the Wi-Fi network of one brand of network-enabled bulb and controlled the lights remotely.
The LIFX light bulb, which is available to buy in the UK, has network connectivity to let people turn it on and off with their smartphones.The firm behind the bulbs has since fixed the vulnerability.
Michael Jordon, research director at Context, explained how he was able to obtain the Wi-Fi username and password of the household the lights were connected to.
“We bought some light bulbs and examined how they talked to each other and saw that one of the messages was about the username and password,” he told the BBC.
“By posing as a new bulb joining the network we were able to get that information,” he added.
“We were able to steal credentials for the wireless network, which in turn meant we could control the lights.“
The LIFX project started off on crowd-funding website Kickstarter. Billing itself as the “light bulb reinvented”, it brought in over 13 times its original funding target.
The master bulb receives commands from the smartphone applications and broadcasts them to all the other bulbs over a wireless mesh network.
While it had taken two experts two weeks to crack the system, the equipment they had used was cheap and readily available, said Mr Jordon.
LIFX said that it had updated its software since being notified of the vulnerability.
In a blog post, the firm said:
There was a potential security issue regarding the distribution of network configuration details on the mesh radio but no LIFX users have been affected that were are aware of.As always we recommend that all users stay up-to-date with the latest firmware and app updates
Thus the problem was patched by the firm.