- '코트 안팎에서 데이터와 AI 활용하기'··· NBA팀 올랜도 매직의 디지털 여정
- Phone theft is on the rise - 7 ways to protect your device before it's too late
- 최형광 칼럼 | 데이터는 더 이상 정제되지 않는다
- New Intel Xeon 6 CPUs unveiled; one powers rival Nvidia’s DGX B300
- First $1B business with one human employee will happen in 2026, says Anthropic CEO
TP-Link Smart Bulb Spills Wi-Fi Passwords
Security researchers from Italy and London have discovered several vulnerabilities in a popular brand of smart light bulbs, which could allow attackers to discover their target’s Wi-Fi password.
The new paper comes from Catania University’s Davide Bonaventura and Giampaola Bella, and Royal Holloway, University of London’s Sergio Esposito.
It analyzed the cloud-enabled TP-Link Tapo L530E, which is claimed to be a best seller on Amazon and other marketplaces.
The researchers applied the steps of the PETIoT kill chain to carry out Vulnerability Assessment and Penetration Testing (VAPT). They found four bugs which could have a “dramatic impact,” according to the paper:
- A high severity bug related to a lack of authentication with the accompanying smartphone app, meaning anyone can authenticate to the app pretending to be the smart bulb
- A high severity bug related to a hard-coded and too short secret shared by the Tapo app and smart bulb, which is exposed by code fragments run by the app and smart bulb
- A medium severity vulnerability related to a lack of randomness during symmetric encryption
- A medium severity vulnerability that could be used with the bug above to cause denial of service
Read more on smart home threats: Smart Home Experiences Over 12,000 Cyber-Attacks in a Week
“In short, authentication is not well accounted for and confidentiality is insufficiently achieved by the implemented cryptographic measures,” the report noted.
“In consequence, an attacker who is nearby the bulb can operate at will not just the bulb but all devices of the Tapo family that the user may have on her Tapo account. Moreover, the attacker can learn the victim’s Wi-Fi password, thereby escalating his malicious potential considerably.”
The researchers responsibly disclosed their findings to the Taiwanese manufacturer and were told firmware updates would be issued to fix the bugs. However, it’s not clear from the paper whether these have been made available yet.
“These assistive and clever devices can be the weak link into the trusted home environment; a beachhead for malicious actors to then gain horizontal access to other devices behind the ‘secure’ firewall,” warned Synopsys senior R&D manager for data science, Andrew Bolster.
“As we add increasingly smart devices, be it fridges, voice assistants, heating controllers, vacuum cleaners, etc, opportunity for security failures to spread expands exponentially.”
