These smart light bulbs could steal your Wi-Fi password

TP-Link smart bulb inside a lamp.

If it’s connected to the internet, it can get hacked — yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb’s security measures might be insufficient.

The first flaw, deemed a high-severity vulnerability, stems from the fact that attackers could potentially impersonate the Tapo L503E during the session key exchange. Scored at 8.8 on the severity scale, this vulnerability reportedly allows the hacker to steal the user’s Tapo passwords and take control of their smart devices. The second high-severity flaw (rated at 7.6) is related to the weak checksum code used by the smart bulbs, which makes it easy for potential attackers to figure out, either through brute-forcing it or by going through the code of the Tapo app.

The other two vulnerabilities are less severe. One concerns the fact that there’s a significant lack of randomness during encryption, which makes it easier for threat actors to predict and decode the cryptographic scheme. Lastly, it appears that any messages received by the smart bulb remain accessible to the attackers for a whole 24 hours.

What good can it do to hack a smart bulb? Well, it turns out it’s more dangerous than it seems. The highest-rated vulnerability actually allows attackers to impersonate your smart bulb and steal your Tapo details. From then, they’d be able to see your Wi-Fi SSID and password, which would then potentially expose all the other devices connected to that network. Fortunately, it appears that the device needs to be in setup mode for the attack to be possible — but hackers can remove the authentication from the smart bulb, forcing the setup mode to be used.

TP-Link Tapo smart bulb.

There’s also potential for a Man-in-the-Middle (MITM) attack, which relies on the aforementioned vulnerability to retrieve RSA encryption keys that can later be used to exchange data. Ultimately, it appears that not just Tapo credentials, but also Wi-Fi passwords and potentially other sensitive data could be at risk.

The researchers described all four vulnerabilities in a paper, which was then reported on by Bleeping Computer. Before making the matter public, they disclosed the vulnerabilities to TP-Link, which has promised to update the bulb’s firmware to fix these problems. However, it’s unclear how long it’s going to take for this to be addressed.

What can you do to stay safe? Most of all, don’t neglect using multi-factor authentication (MFA) on every device and app that allows it. Use secure passwords and never use the same password twice. As for smart home devices in general, if you can keep them away from important networks, that might be for the best, as they often don’t offer the same kind of security that you’d expect from more advanced devices.

Editors’ Recommendations

Leave a Comment