The LIFX light-bulb and app. After determining how multiple LIFX bulbs talk to each other, the researchers, from security firm Context Information Security, investigated how the bulbs shared home Wi-Fi network credentials. Encryption was being used, but after physically pulling apart lightbulbs to determine the key algorithm, they found they could reverse-engineer the encryption. The researchers said in their findings, published online, that they could "capture the Wi-Fi details and decrypt the credentials, all without any prior authentication or alerting of our presence". In order to stage an attack, the researchers said they needed to be within about 30 metres of a vulnerable LIFX bulb.

Phil Bosua, chief executive of LIFX. In other words, a hacker simply needed to sit outside a target's home. Chief executive officer and co-founder of LIFX, Phil Bosua, recently told Fairfax Media more than 100,000 LIFX bulbs had been shipped to customers. Responding to the security researcher's findings, LIFX issued a software update that users can download to upgrade their bulbs. LIFX said in a blog announcing the vulnerability and upgrade that it believed no LIFX users had been affected because it had received no reports from users about the issue.

"We recommend that all users stay up-to-date with the latest firmware and app updates," LIFX said. Depending on which version of software a user's light bulb has, the update can take as long as two hours, Fairfax has found. "Expected firmware update times are dependant and directly affected by your network conditions such as Wi-Fi signal strength and the location of your bulbs," Simon Walker, head of LIFX global marketing, said. "In an ideal scenario, the expected update time for a single bulb can take between 45 minutes to an hour. As more bulbs are added or radio signal drops, this expected time will increase." This will change in future updates, LIFX said, as the way the bulbs are upgraded has been altered to speed up the process.

"Our first major update, version 1.3, has been distributed throughout the home via mesh protocol, which is slow," Bosua said. "The next public firmware release will be distributed via Wi-Fi and will take approximately one to two minutes per bulb." Bosua said LIFX took security "very seriously" and was "actively engaged in security testing, both internally and externally". When recently interviewed before the vulnerability was discovered at his company's headquarters in Portola Valley, Bosua seemed to suggest the worst a hacker could do was "turn your lights on and off" if a security flaw was ever found in LIFX bulbs. "It'd be just annoying," he said. Asked what he was doing to protect the bulbs from hackers, he said the company was working with a security company to ensure they were secure.