Skip to main content

How smart light bulbs could steal your password

TP-Link smart bulb inside a lamp.

If it’s connected to the internet, it can get hacked — yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb’s security measures might be insufficient.

The first flaw, deemed a high-severity vulnerability, stems from the fact that attackers could potentially impersonate the Tapo L503E during the session key exchange. Scored at 8.8 on the severity scale, this vulnerability reportedly allows the hacker to steal the user’s Tapo passwords and take control of their smart devices. The second high-severity flaw (rated at 7.6) is related to the weak checksum code used by the smart bulbs, which makes it easy for potential attackers to figure out, either through brute-forcing it or by going through the code of the Tapo app.

The other two vulnerabilities are less severe. One concerns the fact that there’s a significant lack of randomness during encryption, which makes it easier for threat actors to predict and decode the cryptographic scheme. Lastly, it appears that any messages received by the smart bulb remain accessible to the attackers for a whole 24 hours.

What good can it do to hack a smart bulb? Well, it turns out it’s more dangerous than it seems. The highest-rated vulnerability actually allows attackers to impersonate your smart bulb and steal your Tapo details. From then, they’d be able to see your Wi-Fi SSID and password, which would then potentially expose all the other devices connected to that network. Fortunately, it appears that the device needs to be in setup mode for the attack to be possible — but hackers can remove the authentication from the smart bulb, forcing the setup mode to be used.

TP-Link Tapo smart bulb.

There’s also potential for a Man-in-the-Middle (MITM) attack, which relies on the aforementioned vulnerability to retrieve RSA encryption keys that can later be used to exchange data. Ultimately, it appears that not just Tapo credentials, but also Wi-Fi passwords and potentially other sensitive data could be at risk.

The researchers described all four vulnerabilities in a paper, which was then reported on by Bleeping Computer. Before making the matter public, they disclosed the vulnerabilities to TP-Link, which has promised to update the bulb’s firmware to fix these problems. However, it’s unclear how long it’s going to take for this to be addressed.

What can you do to stay safe? Most of all, don’t neglect using multi-factor authentication (MFA) on every device and app that allows it. Use secure passwords and never use the same password twice. As for smart home devices in general, if you can keep them away from important networks, that might be for the best, as they often don’t offer the same kind of security that you’d expect from more advanced devices.

Editors' Recommendations

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
TP-Link’s new Kasa mesh router doubles as an Alexa smart speaker
tp link launches kasa mesh router smart speaker ces 2021 deco voice x20

TP-Link has long had its claws in the smart home world through devices like the Kasa Outdoor Smart Plug, but now the company has announced a brand-new lineup of new smart devices at CES 2021.

The most interesting announcement from Kasa is the Deco Voice X20, a combination mesh router and smart speaker all in one. It features Alexa functionality baked right into the device while delivering Wi-Fi 6 to every corner of your home. The Deco Voice X20 also provides powerful IoT security and robust parental controls.

Read more
TP-Link’s new blazing-fast Wi-Fi 6E routers coming later in 2021
tp link new wi fi 6e routers ces 2021

TP-Link is introducing a refreshed lineup of routers with support for the Wi-Fi 6E standard. Announced on the first day of CES 2021, the new networking solutions are just the start of new tech coming out of the show so far.

Leading the lineup is the Archer AX96. This router has support for Wi-Fi 6E, which means in can handle speeds of up to 7,800 Mbps. It sports what TP-Link is calling "Smart Antennas," which can help extend coverage in different scenarios. Inside, there's also a 1.7GHz quad-core CPU.

Read more
Without a firewall, the door to your smart home is left wide open
smart home defense against hackers photo of person typing on computer keyboard 735911

Walk around your average suburban neighborhood at 10 p.m., and most homes will appear downright sleepy: Doors locked, blinds closed, maybe the glow of a TV in the window. But if you were somehow able to wear glasses that could show radio waves, you'd be shocked at the buzz within. Robot vacuums, smart lights, wireless security cameras, and smart speakers are just a few of the many connected gadgets introduced to homes over the last decade, permeating them with their invisible Wi-Fi and other radio signals.

And with every connected gadget you add, the risk of being hacked becomes greater.

Read more