Researchers discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and to the Tapo application.
Researchers discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and to the Tapo application. These security flaws allow attackers to steal users' WiFi passwords.
TP-Link Tapo L530E is a smart bulb, a popular product sold on various marketplaces, including Amazon, and was analyzed by researchers from Universita di Catania and the University of London. They aimed to highlight the security risks associated with the billions of intelligent IoT devices consumers use, many of which have inadequate data transmission security and authentication measures.
The first vulnerability identified allows attackers to impersonate the Tapo L503E device during the session key exchange process due to improper authentication. A high-severity vulnerability (CVSS v3.1 score: 8.8) enables adjacent attackers to retrieve Tapo user passwords and manipulate Tapo devices.
The second flaw is another high-severity issue (CVSS v3.1 score: 7.6) arising from a hard-coded short checksum shared secret, which attackers can obtain through brute-forcing or decompiling the Tapo app.
The third vulnerability is a medium-severity flaw related to the lack of randomness in symmetric encryption, making the cryptographic scheme predictable.
The fourth issue stems from the absence of checks for the freshness of received messages, which keeps session keys valid for 24 hours and allows attackers to replay messages during that period.
The most concerning attack scenario is bulb impersonation and retrieval of Tapo user account details by exploiting vulnerabilities one and two, and also accessing the Tapo app, the attacker can extract the victim's WiFi SSID and password and gain access to all other devices connected to that network.
The device needs to be in setup mode for the attack to work. However, the attacker can deauthenticate the bulb, forcing the user to set it up again to restore its function.
Another attack type explored by the researchers is MITM (Man-In-The-Middle) attack with a configured Tapo L530E device. This attack leverages vulnerability one to intercept and manipulate communication between the app and the bulb, allowing the attacker to capture RSA encryption keys used for subsequent data exchange.
MITM attacks are also possible with unconfigured Tapo devices by exploiting vulnerability one during setup. This allows attackers to bridge two networks, route discovery messages, and retrieve Tapo passwords, SSIDs, and WiFi passwords in easily decipherable base64 encoded form.
The researchers responsibly disclosed their findings to TP-Link, and the vendor acknowledged the vulnerabilities. TP-Link has stated that it will release fixes for the app and the bulb's firmware. However, it is unclear whether these fixes have been made available and which versions of the products are still vulnerable.
To strengthen IoT security, it is recommended to keep these devices isolated from critical networks, regularly update firmware and app versions, and safeguard accounts with multi-factor authentication and strong passwords.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?