TP-Link Smart Bulb Spills Wi-Fi Passwords

Written by

Security researchers from Italy and London have discovered several vulnerabilities in a popular brand of smart light bulbs, which could allow attackers to discover their target’s Wi-Fi password.

The new paper comes from Catania University’s Davide Bonaventura and Giampaola Bella, and Royal Holloway, University of London’s Sergio Esposito.

It analyzed the cloud-enabled TP-Link Tapo L530E, which is claimed to be a best seller on Amazon and other marketplaces.

The researchers applied the steps of the PETIoT kill chain to carry out Vulnerability Assessment and Penetration Testing (VAPT). They found four bugs which could have a “dramatic impact,” according to the paper:

  • A high severity bug related to a lack of authentication with the accompanying smartphone app, meaning anyone can authenticate to the app pretending to be the smart bulb
  • A high severity bug related to a hard-coded and too short secret shared by the Tapo app and smart bulb, which is exposed by code fragments run by the app and smart bulb
  • A medium severity vulnerability related to a lack of randomness during symmetric encryption
  • A medium severity vulnerability that could be used with the bug above to cause denial of service

Read more on smart home threats: Smart Home Experiences Over 12,000 Cyber-Attacks in a Week

“In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures,” the report noted.

“In consequence, an attacker who is nearby the bulb can operate at will not just the bulb but all devices of the Tapo family that the user may have on her Tapo account. Moreover, the attacker can learn the victim’s Wi-Fi password, thereby escalating his malicious potential considerably.”

The researchers responsibly disclosed their findings to the Taiwanese manufacturer and were told firmware updates would be issued to fix the bugs. However, it’s not clear from the paper whether these have been made available yet.

“These assistive and clever devices can be the weak link into the trusted home environment; a beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall,” warned Synopsys senior R&D manager for data science, Andrew Bolster.

“As we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc, opportunity for security failures to spread expands exponentially.”

What’s hot on Infosecurity Magazine?