TP-Link Tapo L530E Not Very Smart Lightbulb

10 Million Tapo Installations Can Be Wrong

In yet another Internet of Things security failure, the app which controls the popular TP-Link Tapo L530E smart bulb is an easy gateway to your WiFi password, and from there to everything connected to it.  Researchers from Universita di Catania and the University of London have found four vulnerabilities in the app, some of which may not be fixable, that allow attackers to leverage your lightbulbs to get access to your data.

There is a hard-coded short checksum shared secret in the app, which can be reverse engineered and it uses a cryptographic scheme which is predictable enough to be predicted after monitoring for a time.  That monitoring is made easier by the fact that session keys are valid for 24 hours, so you can replay messaging from that time period.  All of these are the underlying faults that make the most severe vulnerability useful, the ability to impersonate the Tapo L503E during the session key exchange step with the app.

The attack, as described at Bleeping Computer, involves impersonating a Tapo L503E bulb and disconnecting it from the app to put it in setup mode.  From there they can grab the Tapo app login using the lousy security present on the bulb and retrieve the SSID of the WiFi network it’s attached to, as well as the password.  The attacker is now on your network, hopefully just to steal your bandwidth and nothing more.

There are several other ways of leveraging the insecurity of the Tapo L503E, which TP-Link are aware and are working on.  It will be interesting to see just how those updates will be pushed and how effective they will be.