A popular smart light bulb from TP-Link suffers from severe security flaws that could give hackers passwords and other information, researchers said Wednesday.
A paper examined four flaws in the bestselling TP-Link Tapo L530E, which works with Apple’s HomeKit platform.
TP-Link smart light bulb may give away passwords and more
The paper divulging flaws in the cloud-enabled TP-Link Tapo L530E smart bulb comes from researchers at Catania University and the University of London, according to Infosecurity Magazine and other sources.
The magazine described the report’s findings this way:
The researchers applied the steps of the PETIoT kill chain to carry out Vulnerability Assessment and Penetration Testing (VAPT). They found four bugs which could have a “dramatic impact,” according to the paper:
- A high severity bug related to a lack of authentication with the accompanying smartphone app, meaning anyone can authenticate to the app pretending to be the smart bulb.
- A high severity bug related to a hard-coded and too short secret shared by the Tapo app and smart bulb, which is exposed by code fragments run by the app and smart bulb.
- A medium severity vulnerability related to a lack of randomness during symmetric encryption.
- A medium severity vulnerability that could be used with the bug above to cause denial of service.
“In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures,” the report said.
A hacker could access both the bulb and other Tapo devices associated with the account. And they could get the user’s Wi-Fi password, too.
TP-Link will issue firmware fixes at some point
The researchers sent the findings to TP-Link in Taiwan, which said it will issue firmware updates to fix the problems. But it’s not clear when that will happen.
“These assistive and clever devices can be the weak link into the trusted home environment; a beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall,” said Synopsys senior R&D manager for data science, Andrew Bolster.
“As we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc., opportunity for security failures to spread expands exponentially,” he added.