Mobile menu toggle
Mobile menu toggle

Is your smart light bulb giving passwords to hackers?

By

A research paper found TP-Link's Tapo L530E smart bulb suffers four security flaws.
A research paper found TP-Link's Tapo L530E smart bulb suffers four security flaws.
Photo: TP-Link

A popular smart light bulb from TP-Link suffers from severe security flaws that could give hackers passwords and other information, researchers said Wednesday.

A paper examined four flaws in the bestselling TP-Link Tapo L530E, which works with Apple’s HomeKit platform.

TP-Link smart light bulb may give away passwords and more

The paper divulging flaws in the cloud-enabled TP-Link Tapo L530E smart bulb comes from researchers at Catania University and the University of London, according to Infosecurity Magazine and other sources.

TP-Link built up its arsenal of HomeKit-enabled wares in 2022, including a new light strip and the whole Tapo lineup.

The magazine described the report’s findings this way:

The researchers applied the steps of the PETIoT kill chain to carry out Vulnerability Assessment and Penetration Testing (VAPT). They found four bugs which could have a “dramatic impact,” according to the paper:

  • A high severity bug related to a lack of authentication with the accompanying smartphone app, meaning anyone can authenticate to the app pretending to be the smart bulb.
  • A high severity bug related to a hard-coded and too short secret shared by the Tapo app and smart bulb, which is exposed by code fragments run by the app and smart bulb.
  • A medium severity vulnerability related to a lack of randomness during symmetric encryption.
  • A medium severity vulnerability that could be used with the bug above to cause denial of service.

Poor authentification

You might want to check which smart bulbs you're using with HomeKit right now.
You might want to check which smart bulbs you’re using with HomeKit right now.
Photo: TP-Link

“In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures,” the report said.

A hacker could access both the bulb and other Tapo devices associated with the account. And they could get the user’s Wi-Fi password, too.

TP-Link will issue firmware fixes at some point

The researchers sent the findings to TP-Link in Taiwan, which said it will issue firmware updates to fix the problems. But it’s not clear when that will happen.

“These assistive and clever devices can be the weak link into the trusted home environment; a beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall,” said Synopsys senior R&D manager for data science, Andrew Bolster.

“As we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc., opportunity for security failures to spread expands exponentially,” he added.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.

Newsletter archive
Posted in: News Tagged: , , , , , ,