The vulnerabilities of the smart bulb were identified by cybersecurity researchers from Italy and the United Kingdom.
Summary
- Security researchers have found vulnerabilities in the TP-Link Tapo L530E smart bulb and the corresponding Tapo app.
- These vulnerabilities could allow attackers to steal users’ WiFi passwords and gain unauthorized access to their networks.
- The vulnerabilities are rated as high and medium severity, and affect both the hardware and software of the smart bulb.
- TP-Link has acknowledged the vulnerabilities and is working on a fix.
- In the meantime, users are advised to update the firmware of their smart bulbs and use strong passwords.
In the era of expanding home automation, the convenience of controlling devices remotely and optimizing energy consumption is met with an emerging concern: the security of interconnected smart devices.
A recent investigation by security researchers from Italy and the UK has illuminated potential vulnerabilities in the popular TP-Link Tapo L530E smart bulb and the corresponding Tapo app, exposing users to the risk of having their WiFi passwords stolen by malicious actors.
The TP-Link Tapo L530E smart bulb, a common sight in homes and available on major marketplaces such as Amazon, has become a focal point for researchers due to its extensive adoption. The study (PDF), conducted by experts from the Universita di Catania and the University of London, talks about broader security risks prevalent in the expansive world of Internet of Things (IoT) devices, many of which exhibit subpar authentication safeguards and insecure data transmission practices.
The following four distinct vulnerabilities have been identified within the TP-Link Tapo L530E smart bulb and the Tapo app, each presenting its unique security implications:
Improper Authentication:
The primary vulnerability is rooted in improper authentication during the session key exchange process. This flaw permits attackers in close proximity to the device to impersonate it, resulting in the compromise of Tapo user passwords and control over Tapo devices. With a high-severity CVSS v3.1 score of 8.8, this exploit represents a substantial risk.
Hard-coded Weakness:
The second vulnerability, also high-severity with a CVSS v3.1 score of 7.6, is a result of a hardcoded short checksum shared secret. Malicious actors can exploit this flaw by engaging in brute-forcing techniques or by decompiling the Tapo app.
Predictable encryption:
The third flaw, rated with a medium severity, pertains to the predictable nature of symmetric encryption due to a lack of randomness in its application.
Replay Attacks:
Lastly, the fourth vulnerability allows attackers to conduct replay attacks, effectively replicating previously intercepted messages to manipulate device functions.
Keeping in mind the vulnerabilities above, the researchers showcased several scenarios which a malicious actor may be inclined to employ. In the first scenario, an attacker exploits the first and second vulnerabilities to impersonate the smart bulb and compromise a user’s Tapo account.
By infiltrating the Tapo app, the attacker can extract critical WiFi information, including the SSID and password, enabling unauthorized access to all devices linked to the same network. Though this attack requires the device to be in setup mode, attackers can easily disrupt the bulb’s functionality and prompt a reset, thus enabling the execution of the attack.
For the second scenario, the researchers delved into Man-in-the-Middle (MITM) attacks, showcasing the potential for attackers to intercept and manipulate communications between the Tapo app and the bulb.
By exploiting the first vulnerability, attackers can capture RSA encryption keys, which are then exploited to decode further data exchanges. Moreover, unconfigured Tapo devices can be utilized in MITM attacks to extract sensitive information during the setup process.
In a comment to Hackread.com, Andrew Bolster, Senior R&D Manager for Data Science at Synopsys Software Integrity Group told Hackread.com that, “These new vulnerability notices demonstrate again that while consumers want to believe that the smart devices that we bring into our homes and make part of our lives are somehow completely isolated and secure, security is not that simple.”
Andrew warned that “As Synopsys previously demonstrated with last year’s Vulnerability Advisory on IKEA smart bulbs, these assistive and clever devices can be the weak-link into the trusted home environment; A beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall. And as we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc, opportunity for security failures to spread expands exponentially.”
“As with any modern security threat model, defence-in-depth and trust-but-verify stand; smart devices should be kept on separate WiFi networks from personal devices where possible, and the inbound/outbound connections into this network should be heavily restricted,” he emphasised.
The findings of this investigation have been responsibly disclosed to TP-Link, prompting acknowledgement from the vendor. Assurances have been made that fixes for the vulnerabilities will be implemented in both the app and the bulb’s firmware. However, specific details about the availability of these fixes and the versions still susceptible remain undisclosed.
Here are some additional safety guidelines that users should follow:
- Only connect your smart bulbs to trusted networks.
- Keep your smart bulbs up to date with the latest firmware.
- Be careful about what information you share with smart bulb apps.
- Use strong passwords and enable multi-factor authentication for your smart bulb accounts.
- If you think your smart bulb has been compromised, change your passwords and reset your devices.
In light of these vulnerabilities and the expanding realm of IoT devices, isolating such devices from critical networks, updating firmware and app versions, and bolstering account protection through strong passwords and multi-factor authentication remains the recommended practices.
RELATED ARTICLES
- IoT devices could help authorities solve criminal cases
- Hackers can use flaw in Philips smart light bulbs to spread malware
- Hackers can clone your lock keys by recording clicks from smartphone
- Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels
- Lamphone attack recovers secretive conversations via hanging light bulb