Skip to content

Smart light bulbs could give away your password secrets – Naked Security

A group of researchers from Italy and the UK recently published a paper highlighting cryptographic insecurities in the TP-Link Tapo L530E smart light bulb, which is currently a bestseller on Amazon Italy. The researchers contacted TP-Link through their Vulnerability Research Program, and the company acknowledged the vulnerabilities and began working on fixes. However, the researchers have now revealed the details of their attacks in their paper. The Tapo L530E light bulb is set up wirelessly through a temporary Wi-Fi access point created by the bulb. An attacker could potentially create a fake access point and trick users into sending their Wi-Fi password and TP-Link account details to the imposter bulb. The researchers found that the protocol used for the setup process did not effectively prevent such attacks. The protocol utilized a fixed key for its checksum, making it easy for an attacker to forge messages. The researchers were able to crack the key through brute force, and the attack was successful within an average of 140 minutes. Additionally, the app and light bulb did not verify the session key agreement, potentially allowing an imposter device to intercept encrypted data. The researchers emphasized the need for stronger cryptographic measures in smart devices to prevent such vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *