We’ve heard stories in the past about hackers managing to pry their way into smart bulb vulnerabilities, and now we have another one, this time involving one of the more popular smart bulbs on Amazon.
Researchers from the University of Catania and the University of London have published a paper naming the TP-Link Tapo L530E as a smart bulb that’s open to attack–and indeed, under the right circumstances, a hacker could even use the bulb to snag your Wi-Fi password.
For its part, TP-Link says it’s already fixed some of the vulnerabilities and will soon patch the others.
The paper describes how an attacker in the vicinity of the Tapo L530E could “impersonate” the bulb and trick the Tapo app into giving up not only the user’s Tapo credentials, but also their Wi-Fi router’s password, Bleeping Computer reports.
The same exploit would allow a hacker to obtain a session key from the bulb that could be returned to the user, thus setting the table for “man-in-the-middle” attacks, the researchers say.
The Tapo L530E needs to be in setup mode for the attack to work, but a “simple” Wi-Fi deauthentication attack could trick the user into putting the bulb back in pairing mode, according to the researchers.
A combination of other vulnerabilities would allow hackers to “re-use” encrypted messages between the Tapo app and the bulb to launch denial-of-service attacks, the paper continues.
Overall, the paper faults the bulb for a variety of security flaws, including the fact that the bulb doesn’t need to prove its identity to the app, and a “short” and “exposed” shared secret code between the app and the bulb.
The researchers say TP-Link has “acknowledged” all the vulnerabilities and promised it had “started working” on fixes for both the bulb and the Tapo app.
Reached for comment by TechHive, TP-Link spokesperson Jake Ciccone said the manufacturer “immediately” updated the Tapo app after learning about its security flaws in June, and that “currently, the app has been fully released as the latest version without any vulnerabilities.”
As for the Tapo L530E bulb itself, its failure to authenticate with the Tapo app (marked as “Vulnerability 1” in the research paper) has been “properly resolved,” while “a new firmware will be released [Wednesday] which will solve all the remaining issues,” Ciccone added.
Needless to say, if you have any Tapo L530E bulbs installed in your home, you should take them offline immediately until TP-Link deploys the final security patch.
Smart home devices have long been criticized for their security vulnerabilities, including devices from the biggest smart home brands.
Back in 2020, we learned that a rogue smart bulb could be used to hijack a Philips Hue Bridge via a weakness in the Zigbee wireless protocol. Hue had already patched the security flaw before the report came to light.
More recently, Anker-owned Eufy came under fire following reports that unencrypted video streams from Eufy security cams could be easily intercepted.
Updated shortly after publication with a comment from TP-Link.