How smart light bulbs could steal your password | Digital Trends (2024)
If it’s connected to the internet, it can get hacked — yes, even some of the best smart bulbs. While smart bulbs make it easy to adjust the lighting and ambiance in your room, they connect to Wi-Fi, which makes them susceptible to attacks. Researchers from the Universita di Catania and the University of London discovered a particular vulnerability in the TP-Link Tapo L530E smart bulb and the accompanying TP-Link Tapo app. It seems that hackers could gain access to your passwords just through the smart bulb.
These days, smart devices are more and more prominent in households across the globe. The TP-Link Tapo L530E is a popular smart bulb, which is what drove the researchers to analyze it and attempt to find flaws within its security. Unfortunately, they found at least four vulnerabilities, all stemming from the fact that the bulb’s security measures might be insufficient.
The first flaw, deemed a high-severity vulnerability, stems from the fact that attackers could potentially impersonate the Tapo L503E during the session key exchange. Scored at 8.8 on the severity scale, this vulnerability reportedly allows the hacker to steal the user’s Tapo passwords and take control of their smart devices. The second high-severity flaw (rated at 7.6) is related to the weak checksum code used by the smart bulbs, which makes it easy for potential attackers to figure out, either through brute-forcing it or by going through the code of the Tapo app.
The other two vulnerabilities are less severe. One concerns the fact that there’s a significant lack of randomness during encryption, which makes it easier for threat actors to predict and decode the cryptographic scheme. Lastly, it appears that any messages received by the smart bulb remain accessible to the attackers for a whole 24 hours.
What good can it do to hack a smart bulb? Well, it turns out it’s more dangerous than it seems. The highest-rated vulnerability actually allows attackers to impersonate your smart bulb and steal your Tapo details. From then, they’d be able to see your Wi-Fi SSID and password, which would then potentially expose all the other devices connected to that network. Fortunately, it appears that the device needs to be in setup mode for the attack to be possible — but hackers can remove the authentication from the smart bulb, forcing the setup mode to be used.
There’s also potential for a Man-in-the-Middle (MITM) attack, which relies on the aforementioned vulnerability to retrieve RSA encryption keys that can later be used to exchange data. Ultimately, it appears that not just Tapo credentials, but also Wi-Fi passwords and potentially other sensitive data could be at risk.
The researchers described all four vulnerabilities in a paper, which was then reported on by Bleeping Computer. Before making the matter public, they disclosed the vulnerabilities to TP-Link, which has promised to update the bulb’s firmware to fix these problems. However, it’s unclear how long it’s going to take for this to be addressed.
What can you do to stay safe? Most of all, don’t neglect using multi-factor authentication (MFA) on every device and app that allows it. Use secure passwords and never use the same password twice. As for smart home devices in general, if you can keep them away from important networks, that might be for the best, as they often don’t offer the same kind of security that you’d expect from more advanced devices.
Well, it turns out it's more dangerous than it seems. The highest-rated vulnerability actually allows attackers to impersonate your smart bulb and steal your Tapo details. From then, they'd be able to see your Wi-Fi SSID and password, which would then potentially expose all the other devices connected to that network.
Four vulnerabilities identified by academic researchers from Italy and the UK in the TP-Link Tapo L530E smart bulb and its accompanying mobile application can be exploited to obtain the local Wi-Fi network's password.
The vulnerabilities identified with the TP-Link Tapo L530E smart bulb range from medium to high severity in their vulnerability score. The most dangerous allows attackers to impersonate the device during the session key exchange, giving the attacker a chance to steal user passwords and manipulate the devices.
Do Smart Switches Slow Down WiFi? Generally speaking, smart lights won't put much extra drawn on your WiFi network because, like smart plugs, smart lights are very simple devices that will typically only need to communicate when their status changes.
The biggest disadvantage of smart light bulbs is that they're much more expensive than regular lightbulbs. As of this writing, a standard incandescent bulb costs about a dollar, while a non-smart LED light bulb costs around $5. A smart bulb costs around $15 each, and that's not counting additional hub expenses.
If you reuse passwords, there's a good chance that the one used for your lightbulbs can be used by hackers to access your accounts on other websites and services. Always use a unique password for every service – and use a password manager if you have trouble remembering them all. Set up a separate home network.
Meanwhile, TP-Link tells CNET that it does not sell user personal data and that none of the data collected by its routers are used for marketing at all. Still, the company's privacy policy appears to create wiggle room on the topic: "We will not sell your personal information unless you give us permission.
Once the light bulb is compromised, they can horizontally attack the rest of the network, attempt to escalate privilege, interact with the other devices, and even use other legitimate devices to spoof interactions with outside equipment, other internet connected services, or other bridged devices within the home.
Radiation, yes, light. The fact that they are smart means they talk by radiation to their control source. However, the level of radiation and its duration is miniscule. Much less than you have from a cell phone or laptop computer.
Less is more when it comes to using lights to deter burglars, it turns out. If you use smart lighting functionality through your home security system to make it seem as though someone is home, this may deter a burglar. If you simply leave your lights on all day and all night, you could do the opposite.
With smart lights, you can get used to control the brightness and dimness of your lights with a single tap on your phone. When the internet is down, you can easily switch your lights on and off with a physical switch.
As we mentioned above, smart bulbs are in a class of appliances that use electricity in standby mode: vampire devices. This means that smart bulbs use electricity even when they're off.
When you live in a home or work in an area where multiple people frequently use too many devices on the same network, you may experience low bandwidth. This would be experienced across multiple devices, making the devices slow down to the point of affecting even simple web browsing.
Since smart light bulbs are LED based, they draw very little power for the light itself and they also have a long lifetime of around ten years on average. But the smart controls – despite coming from a connection which costs you in standby power use – can save you money.
Conclusion. Smart bulbs offer many advantages over traditional light bulbs, including the ability to adjust brightness levels and create different lighting effects. However, they also come with some disadvantages, such as a higher cost and reliance on technology.
The researchers identified two primary vulnerabilities in TP-Link's Kasa Smart Bulbs that, when exploited in sequence, could result in unauthorized access to users' WiFi networks and even the theft of their WiFi passwords.
The attacker only has to use the ancient Telnet protocol to connect to the router on the local network, then make it look like a login request comes from the web address "tplinkwifi.net", the same address TP-Link routers use during setup. None of this is hard to do.
A Wi-Fi hack can be extremely dangerous. A hacker can spy and gain access to any information sent out from all of the devices on your hacked network. This can include login credentials and passwords, as well as other personal and financial information. A hacker can also plant malware on your device.
Out of the box, most routers use a model-specific SSID and either aren't secured or use a generic password like "admin," making it easy for hackers to access your home Wi-Fi and poke around your connected smart home devices. The first thing to do is secure your Wi-Fi network with a strong password.
Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204
Phone: +2135150832870
Job: Regional Design Producer
Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games
Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
