TP-Link Smart Bulbs Expose Wi-Fi Network Passwords: Security Vulnerabilities Revealed

By Ava McKinneyOnline Safety

TP-Link Smart Bulbs Can Leak Your Wi-Fi Password

Researchers have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and its companion mobile app, TP-Link Tapo. These issues can be exploited to obtain the password for a local Wi-Fi network.

Experts from the University of Catania and the University of London chose to study this product due to its massive popularity: the TP-Link Tapo L530E is one of the best-selling smart bulbs on many marketplaces, including Amazon, and the TP-Link Tapo app has been downloaded over 10 million times from the Google Play Store.

The main goal of the researchers was to draw attention to the security risks of billions of smart IoT devices, many of which transmit data insecurely and have weak authentication protections.

Details of the Vulnerabilities

  • First Vulnerability: This issue involves improper authentication, allowing an attacker to impersonate a user during the session key exchange. It scored 8.8 on the CVSS scale and enables a nearby attacker to obtain the Tapo user password and control the device.
  • Second Vulnerability: Scoring 7.6 on the CVSS scale, this flaw is related to the Tapo app and is caused by a hardcoded short checksum of the shared secret. Attackers can discover this through brute force and app decompilation.
  • Third Vulnerability: The lack of randomness in symmetric encryption makes the cryptographic scheme predictable.
  • Fourth Vulnerability: There is no freshness check for received messages: session keys are stored for 24 hours, allowing attackers to replay messages within that time frame.

According to the researchers, in one of the most dangerous attack scenarios, an attacker can impersonate a smart bulb and obtain the user’s Tapo account data by exploiting the first and second vulnerabilities. Once they gain access to the Tapo app, the attacker can learn the victim’s Wi-Fi SSID and password, giving them access to all other devices connected to that network.

It’s important to note that for this attack to work, the vulnerable device must be in setup mode. However, an attacker can force the bulb to deauthenticate, prompting the user to reconfigure it to restore functionality.

How Attackers Can Impersonate a TP-Link Tapo Device

Another attack method is a Man-In-The-Middle (MitM) attack on a configured Tapo L530E device, using the first vulnerability to intercept and manipulate the connection between the app and the bulb. This allows the attacker to capture the RSA encryption keys used for subsequent data exchanges.

MitM attacks are also possible for unconfigured Tapo devices: the first vulnerability is again used to connect to Wi-Fi during setup, create a bridge between two networks, and route discovery messages, ultimately revealing the Tapo password, SSID, and Wi-Fi password.

The researchers reported these issues to TP-Link, and the company has stated that it will soon release fixes for both the app and the smart bulb firmware. As shown in the table below, some patches have already been released.

Leave a Reply