A recent scientific paper titled “Smart Bulbs can be Hacked to Hack into your Household” by Davide Bonaventura and colleagues from the University of Catania and Royal Holloway, University of London, delves into the vulnerabilities of the Tapo L530E smart bulb by TP-Link. The bulb, a best-seller on Amazon Italy, was found to have multiple security flaws that could be exploited by nearby attackers.
The Tapo app does not adequately verify the identity of its peer, allowing anyone to impersonate the smart bulb. The encryption key used by both the Tapo app and the smart bulb is short and can be easily accessed from the code fragments run by both entities. The initialization vectors used by the Tapo app and the smart bulb for symmetric encryption are static, leading to potential vulnerabilities. Neither the app nor the bulb implements measures to check the freshness of received messages.
The Tapo app has several vulnerabilities related to its smart bulb. Firstly, it doesn't properly check the identity of its peer, which means someone could pretend to be the smart bulb. Additionally, both the app and the bulb use a short secret that can be easily found in their code fragments. There's also a problem with their encryption; they use static initialization vectors, which can lead to potential security risks. Lastly, neither the app nor the bulb has a way to verify how recent their received messages are.
Researchers demonstrated that a malicious attacker in proximity to the target smart bulb could exploit these vulnerabilities in various ways. For instance, by leveraging the first vulnerability, the attacker could impersonate the bulb and obtain the user's Tapo and Wi-Fi credentials. Furthermore, the attacker could potentially mount a man-in-the-middle attack.
The researchers emphasized that their experiments only involved devices, networks, and accounts owned by them, ensuring no third-party data was accessed. Upon discovering the vulnerabilities, TP-Link was informed through their Vulnerability Research Program. The company acknowledged the issues and began working on fixes for both the app and the bulb firmware.
Dangers of a Growing Network of Unprotected IoT Devices
There are growing concerns about IoT security in both personal and enterprise settings. Issues such as the vulnerability in the Tapo smart light bulb highlight the dangers of smart devices in the home. As these home-connected products become more mainstream, it is likely users have no idea of the security risks.
In enterprise, the dangers are more profound. Many organizations have thousands of endpoints running outdated and unpatched SSH servers. In July, Microsoft introduced a firmware analysis feature for Microsoft Defender for IoT, aimed at identifying potential security vulnerabilities in IoT devices. This new feature performs an automated analysis of a binary firmware image running on an IoT device, providing a detailed inventory of open-source packages found in the firmware image.