Skip to main content

How smart light bulbs could steal your password

TP-Link smart bulb inside a lamp.
TP-Link

If it’s connected to the internet, it can get hacked — yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.

These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb’s security measures might be insufficient.

Recommended Videos

The first flaw, deemed a high-severity vulnerability, stems from the fact that attackers could potentially impersonate the Tapo L503E during the session key exchange. Scored at 8.8 on the severity scale, this vulnerability reportedly allows the hacker to steal the user’s Tapo passwords and take control of their smart devices. The second high-severity flaw (rated at 7.6) is related to the weak checksum code used by the smart bulbs, which makes it easy for potential attackers to figure out, either through brute-forcing it or by going through the code of the Tapo app.

Please enable Javascript to view this content

The other two vulnerabilities are less severe. One concerns the fact that there’s a significant lack of randomness during encryption, which makes it easier for threat actors to predict and decode the cryptographic scheme. Lastly, it appears that any messages received by the smart bulb remain accessible to the attackers for a whole 24 hours.

What good can it do to hack a smart bulb? Well, it turns out it’s more dangerous than it seems. The highest-rated vulnerability actually allows attackers to impersonate your smart bulb and steal your Tapo details. From then, they’d be able to see your Wi-Fi SSID and password, which would then potentially expose all the other devices connected to that network. Fortunately, it appears that the device needs to be in setup mode for the attack to be possible — but hackers can remove the authentication from the smart bulb, forcing the setup mode to be used.

TP-Link Tapo smart bulb.
TP-Link

There’s also potential for a Man-in-the-Middle (MITM) attack, which relies on the aforementioned vulnerability to retrieve RSA encryption keys that can later be used to exchange data. Ultimately, it appears that not just Tapo credentials, but also Wi-Fi passwords and potentially other sensitive data could be at risk.

The researchers described all four vulnerabilities in a paper, which was then reported on by Bleeping Computer. Before making the matter public, they disclosed the vulnerabilities to TP-Link, which has promised to update the bulb’s firmware to fix these problems. However, it’s unclear how long it’s going to take for this to be addressed.

What can you do to stay safe? Most of all, don’t neglect using multi-factor authentication (MFA) on every device and app that allows it. Use secure passwords and never use the same password twice. As for smart home devices in general, if you can keep them away from important networks, that might be for the best, as they often don’t offer the same kind of security that you’d expect from more advanced devices.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
How to secure your Wi-Fi network
man wearing wireless earbuds

Given how much valuable information we entrust to computers these days, it's more important than ever to ensure that your work and home networks are safe. All it takes is one chink in your Wi-Fi's armor to compromise your system, leading to ransomware, invasion of privacy, and the loss of invaluable personal data. Learn how to secure your Wi-Fi network today, and rest easier knowing you've prevented future outrages.
Why do I need to secure my Wi-Fi network?

Wi-Fi works by broadcasting the signal from your modem via a wireless router up to several hundred feet away, allowing any compatible device to connect to the internet. While this is undoubtedly a major convenience for both work and home networks, it also raises the unpleasant possibility that a cybercriminal could compromise the network and gain access to your devices and information. Should any crime be committed using your PC, such as spamming or harassment, the investigation would lead back to your computer, potentially putting you at legal risk.

Read more
TP-Link’s new Kasa mesh router doubles as an Alexa smart speaker
tp link launches kasa mesh router smart speaker ces 2021 deco voice x20

TP-Link has long had its claws in the smart home world through devices like the Kasa Outdoor Smart Plug, but now the company has announced a brand-new lineup of new smart devices at CES 2021.

The most interesting announcement from Kasa is the Deco Voice X20, a combination mesh router and smart speaker all in one. It features Alexa functionality baked right into the device while delivering Wi-Fi 6 to every corner of your home. The Deco Voice X20 also provides powerful IoT security and robust parental controls.

Read more
TP-Link’s new blazing-fast Wi-Fi 6E routers coming later in 2021
tp link new wi fi 6e routers ces 2021

TP-Link is introducing a refreshed lineup of routers with support for the Wi-Fi 6E standard. Announced on the first day of CES 2021, the new networking solutions are just the start of new tech coming out of the show so far.

Leading the lineup is the Archer AX96. This router has support for Wi-Fi 6E, which means in can handle speeds of up to 7,800 Mbps. It sports what TP-Link is calling "Smart Antennas," which can help extend coverage in different scenarios. Inside, there's also a 1.7GHz quad-core CPU.

Read more