Connect with us

Hi, what are you looking for?


IoT Security

TP-Link Smart Bulb Vulnerabilities Expose Households to Hacker Attacks

Vulnerabilities in the TP-Link Tapo L530E smart bulb and accompanying mobile application can be exploited to obtain the local Wi-Fi password.

Four vulnerabilities identified by academic researchers from Italy and the UK in the TP-Link Tapo L530E smart bulb and its accompanying mobile application can be exploited to obtain the local Wi-Fi network’s password.

Currently a best-seller on Amazon Italy, the TP-Link Tapo smart Wi-Fi light bulb (L530E) is cloud-enabled and can be controlled using a Tapo application (available on both Android and iOS) and a Tapo account.

The most severe of the identified issues is described as a “lack of authentication of the smart bulb with the Tapo app”, which allows an attacker to impersonate a smart bulb and authenticate to the application. The issue has a CVSS score of 8.8.

With a CVSS score of 7.6, the second bug impacts both the smart bulb and the Tapo app, which use a hardcoded, short shared secret exposed by code fragments.

The third and fourth issues have severity ratings of ‘medium’ and are related to message transmissions between the application and the smart bulb.

The app and the bulb, the academics explain in a research paper (PDF), use static initialization vectors for each message and do not check the freshness of the received messages.

By exploiting the first vulnerability, the researchers say, an attacker within the range of the smart bulb – and of the local Wi-Fi network – can learn the victim’s Tapo credentials, as well as their Wi-Fi credentials.

The issue can only be exploited if the smart bulb is in setup mode, when it exposes its SSID. If it is already connected, however, the attacker can mount a Wi-Fi deauthentication attack and repeat it until the user resets the bulb.

Advertisement. Scroll to continue reading.

The remaining flaws allow an attacker to obtain the key that the app and smart bulb use for authentication and message integrity checks and tamper with the authentication process. They can also be leveraged to reuse messages sent by the application to operate the device, while ensuring that these messages are accepted.

The researchers reported the identified flaws via TP-Link’s vulnerability reporting program. The manufacturer informed them that it has started working on fixes.

The academics conducted their research using the IoT penetration testing tool PETIoT (PEnetration Testing the Internet of Things).

“Contrary to a potential belief that smart bulbs are not worth protecting or hacking, we found out that this model suffers four vulnerabilities that are not trivial and, most importantly, may have a dramatic impact,” the academics note.

Related: New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones

Related: Researcher Says Google Paid $100k Bug Bounty for Smart Speaker Vulnerabilities

Related: Researchers: Wi-Fi Probe Requests Expose User Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...