We’ve heard stories in the past about hackers managing to pry their way into smart bulb vulnerabilities, and now we have another one, this time involving one of the more popular smart bulbs on Amazon.
Researchers from the University of Catania and the University of London have published a paper naming the TP-Link Tapo L530E as a smart bulb that’s currently open to attack–and indeed, under the right circumstances, a hacker could even use the bulb to snag your Wi-Fi password.
The paper describes how an attacker in the vicinity of the Tapo L530E could “impersonate” the bulb and trick the Tapo app into giving up not only the user’s Tapo credentials, but also their Wi-Fi router’s password, Bleeping Computer reports.
The same exploit would allow a hacker to obtain a session key from the bulb that could be returned to the user, thus setting the table for “man-in-the-middle” attacks, the researchers say.
The Tapo L530E needs to be in setup mode for the attack to work, but a “simple” Wi-Fi deauthentication attack could trick the user into putting the bulb back in pairing mode, according to the researchers.
A combination of other vulnerabilities would allow hackers to “re-use” encrypted messages between the Tapo app and the bulb to launch denial-of-service attacks, the paper continues.
Overall, the paper faults the bulb for a variety of security flaws, including the fact that the bulb doesn’t need to prove its identity to the app, and a “short” and “exposed” shared secret code between the app and the bulb.
The researchers say TP-Link has “acknowledged” all the vulnerabilities and promised it had “started working” on fixes for both the bulb and the Tapo app.
We’ve reached out to TP-Link for comment.
Needless to say, if you have any Tapo L530E bulbs installed in your home, you should take them offline immediately until TP-Link deploys security patches.
Smart home devices have long been criticized for their security vulnerabilities, including devices from the biggest smart home brands.
Back in 2020, we learned that a rogue smart bulb could be used to hijack a Philips Hue Bridge via a weakness in the Zigbee wireless protocol. Hue had already patched the security flaw before the report came to light.
More recently, Anker-owned Eufy came under fire following reports that unencrypted video streams from Eufy security cams could be easily intercepted.