The current rise of the Internet of Things (IoT) is at its peak and rapidly expanding its abilities by transforming basic items into controllable smart devices via smartphones, including light bulbs and plugs.
In 2021, the IoT devices exceeded the count of 13.8 billion; by 2025, it’s set to double. However, this huge surge also creates vast attack possibilities for the threat actors, posing security challenges for security analysts.
The following cybersecurity analysts from their respective universities recently identified that hackers could hack smart bulbs to steal Wi-Fi passwords:-
- Davide Bonaventura from “Dipartimento di Matematica e Informatica Universita di Catania, Italy”
- Sergio Esposito from “Information Security Group Royal Holloway University of London, Egham, UK”
- Giampaolo Bella from “Dipartimento di Matematica e Informatica Universita di Catania, Italy”
To conduct the Vulnerability Assessment and Penetration Testing (VAPT) on smart bulbs, the researchers opted for the Tp-Link Tapo Smart Wi-Fi Multicolor Light Bulb (L530E) on which they used the PETIoT, a new IoT-focused Kill Chain (KC) that detects the network vulnerabilities.
Tapo L530E can be controlled via the Tapo app on Android or iOS without needing a hub, connecting directly to home Wi-Fi since it’s a cloud-enabled Multicolor Smart Bulb.
In a report shared with Cyber Security News, researchers confirmed that this Smart bulb model is vulnerable to the following four vulnerabilities:-
- Lack of authentication of the smart bulb with the Tapo app (8.8 CVSS score, High severity)
- Hard-coded, short shared secret (7.6 CVSS score, High severity)
- Lack of randomness during symmetric encryption (4.6 CVSS score, Medium severity)
- Insufficient message freshness (5.7 CVSS score, Medium severity)
The analysis and tests done by security analysts reveal the proximity-based attacks on the target smart bulb.
Exploiting the “Lack of authentication of the smart bulb with the Tapo app,” flaw the attackers gain Tapo and Wi-Fi credentials either by impersonating the bulb in setup mode or de-authenticating the bulb for a re-setup attempt.
Using the acquired credentials, the attacker can launch a man-in-the-middle attack to intercept the session keys during bulb setup and escalate the malicious potential with exposed Wi-Fi credentials.
Here below, we have mentioned all the setups demoed by the researchers:-
- Setup A
- Setup B
- Setup C
Here below, we have mentioned all the attack scenarios:-
- Fake Bulb Discovery messages generation.
- Password exfiltration from Tapo user account.
- MITM attack with a configured Tapo L530E.
- Replay the attack with the Smart bulb as a victim.
- MITM attack with an unconfigured Tapo L530E.
Moreover, TP-Link has already been informed by the security analyst about these findings related to their “Tapo Smart Wi-Fi Multicolor Light Bulb (L530E).”
In response, TP-Link assured researchers that they would fix these flaws affecting their app and the firmware of the bulb.