Smart Bulb Vulnerabilities a Jumping Off Point for Further Network Exploitation, Researchers Warn

Researchers from the Università di Catania and the University of London have warned of vulnerabilities in common home automation devices like smart light bulbs which can lead to an entire network takeover — calling out TP-Link's best-selling Tapo smart bulb family as an example.

"The IoT [Internet of Things] is getting more and more pervasive. Even the simplest devices, such as a light bulb or an electrical plug, are made 'smart' and controllable by our smartphone," the researchers explain in the abstract to their paper, brought to our attention by Bleeping Computer.

"This paper describes the findings obtained by applying the PETIoT kill chain to conduct a Vulnerability Assessment and Penetration Testing session on a smart bulb, the Tapo L530E by TP-Link, currently best seller on Amazon Italy," the team continues. "We found that four vulnerabilities affect the bulb, two of High severity and two of Medium severity according to the CVSS v3.1 scoring system."

Those vulnerabilities ranged from the ability to retrieve stored user credentials for the Tapo software to being able to acquire the network key for a user's home network — opening it up to further exploitation or eavesdropping. Other issues found during experimentation included hard-coded shared secrets and a lack of entropy during encryption weakening its protection.

The team, however, warns that such issues are unlikely to be limited to one particular model from one particular manufacturer. "While more and more experiments will certainly follow on similar bulbs and other inexpensive devices," the researchers write, "we argue that the evidence we have gathered thus far is sufficient to call for a fuller application of a zero trust model to the IoT domain. With dozens of years of cybersecurity experience accumulated by the international community thus far, it should be possible to find affordable ways to achieve that in due course."

The researchers reported their findings to TP-Link, which has confirmed it is working on a firmware update to address the security vulnerabilities found — but had not, at the time of writing, provided a release date.

A preprint of the team's paper is available on Cornell's arXiv server under open-access terms.