A joint team of experts from Italy and the UK identified four vulnerabilities in the TP-Link Tapo L530E smart bulb and its corresponding Tapo application. These vulnerabilities potentially enable malicious actors to gain unauthorized access to users’ WiFi passwords.

TP-Link Tapo L530E has achieved significant sales success across various platforms, notably on Amazon. The Tapo app by TP-Link, designed for smart device management, has been downloaded over 10 million times from Google Play.

Given its widespread usage, the researchers from the Universita di Catania and the University of London decided to delve into the product’s security features. Their primary motivation behind the study was to highlight the potential security loopholes present in the multitude of smart IoT devices that consumers use daily. Regrettably, many of these gadgets employ questionable data transmission methods and lack robust authentication measures.

Smart Bulb Security Gaps

The initial vulnerability identified related to the flawed authentication of Tapo L503E. This weakness could enable malicious entities to mimic the device during crucial session key exchange phases.

This vulnerability, with a CVSS v3.1 score of 8.8, empowers potential adversaries in close proximity to access Tapo user credentials and control Tapo devices.

The subsequent vulnerability, rated at a CVSS v3.1 score of 7.6, involves a hardcoded short checksum shared secret. Malevolent actors can potentially acquire this by brute force or decompiling the Tapo app.

An additional flaw pertains to a predictable cryptographic scheme due to the absence of randomness in symmetric encryption.

The last identified vulnerability is the absence of freshness checks for incoming messages. As a result, session keys remain active for 24 hours, offering potential hackers a window to reuse those messages.

Potential Exploits

The most alarming potential exploitation involves mimicking the bulb and extracting Tapo user information by leveraging the first and second vulnerabilities.

Once they gain access to the Tapo app, the intruder can discern the WiFi SSID and password, enabling them to connect to all devices on that network.

For the exploit to be successful, the device must be in setup mode. However, attackers can force the bulb into this mode by deauthenticating it, pushing the owner to reset the device.

Another exploit scenario involves a Man-In-The-Middle (MITM) assault on a configured Tapo L530E device. This would capitalize on the first vulnerability, enabling interception and tampering of communications between the bulb and app. It also exposes the RSA encryption keys meant for subsequent data interactions.

MITM exploits can also be orchestrated on unconfigured devices, again exploiting the first vulnerability. This involves connecting to WiFi during the setup phase, bridging two networks, and routing specific messages, ultimately revealing Tapo credentials, SSIDs, and WiFi passwords in a decodable base64 format.

Moreover, the fourth vulnerability allows for replay attacks, where previously intercepted messages can be resent to modify device settings.

Addressing the Issues

Upon discovering these vulnerabilities, the academic team reached out to TP-Link to share their findings. The company acknowledged the concerns and assured that they would soon introduce corrective measures in both the app and the bulb’s firmware.

However, it remains uncertain whether these remedies have already been rolled out or which editions still harbor these vulnerabilities.

BleepingComputer has reached out to TP-Link for more information regarding security enhancements and affected versions. Updates on this matter are expected shortly.

For enhanced IoT security, experts advise isolating such devices from essential networks, keeping firmware and apps up to date, and fortifying accounts with multi-factor authentication and robust passwords.