Smart light bulbs could give away your password secrets

2023-08-22 19:56

A trio of researchers split between Italy and the UK have recently published a paper about cryptographic insecurities they found in a widely-known smart light bulb.

The researchers seem to have chosen their target device, the TP-Link Tapo L530E, on the basis that it is "Currently [the] best seller on Amazon Italy," so we don't know how other smart bulbs stack up, but their report has plenty to teach us anyway.

Like many so-called "Smart" devices, the Tapo L530E is designed so it can be set up quickly and easily over Wi-Fi. Although wireless-based configuration is common even for battery-powered devices that can be charged and set up via built-in USB ports, such as cameras and bike accessories, light bulbs generally don't have USB ports, not least for space and safety reasons, given that they're designed to be plugged into and left in a mains light socket.

Then a nearby attacker who just happens to start up a fake Tapo Bulb XXXX access point at the right moment could lure you into sending those important setup secrets to their "Imposter bulb" device instead of to the real thing, thus capturing both your Wi-Fi password and your TP-Link account details.

Loosely put, the app locates any light bulbs on its network by broadcasting special UDP packets to port 20002 and seeing which devices reply, if any.

To help any listening light bulbs decide that an are you there? request came from the Tapo app, rather than from some other unknown product or service that just happens to use port 20002 as well, the request includes what's known in the jargon as a keyed hash.

News URL

https://nakedsecurity.sophos.com/2023/08/22/smart-light-bulbs-could-give-away-your-password-secrets/

#smart