Four vulnerabilities identified by academic researchers from Italy and the UK in the TP-Link Tapo L530E smart bulb and its accompanying mobile application can be exploited to obtain the local Wi-Fi network’s password.
Currently a best-seller on Amazon Italy, the TP-Link Tapo smart Wi-Fi light bulb (L530E) is cloud-enabled and can be controlled using a Tapo application (available on both Android and iOS) and a Tapo account.
The most severe of the identified issues is described as a “lack of authentication of the smart bulb with the Tapo app”, which allows an attacker to impersonate a smart bulb and authenticate to the application. The issue has a CVSS score of 8.8.
With a CVSS score of 7.6, the second bug impacts both the smart bulb and the Tapo app, which use a hardcoded, short shared secret exposed by code fragments.
The third and fourth issues have severity ratings of ‘medium’ and are related to message transmissions between the application and the smart bulb.
The app and the bulb, the academics explain in a research paper (PDF), use static initialization vectors for each message and do not check the freshness of the received messages.
By exploiting the first vulnerability, the researchers say, an attacker within the range of the smart bulb – and of the local Wi-Fi network – can learn the victim’s Tapo credentials, as well as their Wi-Fi credentials.
The issue can only be exploited if the smart bulb is in setup mode, when it exposes its SSID. If it is already connected, however, the attacker can mount a Wi-Fi deauthentication attack and repeat it until the user resets the bulb.
The remaining flaws allow an attacker to obtain the key that the app and smart bulb use for authentication and message integrity checks and tamper with the authentication process. They can also be leveraged to reuse messages sent by the application to operate the device, while ensuring that these messages are accepted.
The researchers reported the identified flaws via TP-Link’s vulnerability reporting program. The manufacturer informed them that it has started working on fixes.
The academics conducted their research using the IoT penetration testing tool PETIoT (PEnetration Testing the Internet of Things).
“Contrary to a potential belief that smart bulbs are not worth protecting or hacking, we found out that this model suffers four vulnerabilities that are not trivial and, most importantly, may have a dramatic impact,” the academics note.