Households could have their local Wi-Fi networks' passwords compromised through the exploitation of four security flaws impacting TP-Link Tapo L530E smart bulbs and the Tapo app, SecurityWeek reports.
Threat actors could leverage the most severe of the identified vulnerabilities, which concerns inadequate smart bulb authorization with the app, to obtain both Tapo credentials and Wi-Fi credentials, provided that targeted smart bulbs are in setup mode although Wi-Fi de-authentication attacks could be aimed at connected bulbs, according to a study from Italian and UK researchers.
Meanwhile, the other bugs could be exploited to facilitate the acquisition of authentication and message integrity check keys, as well as the repeat usage of app-sent messages for device operation. All vulnerabilities have been reported to TP-Link, which is already in the process of addressing the flaws.
"Contrary to a potential belief that smart bulbs are not worth protecting or hacking, we found out that this model suffers four vulnerabilities that are not trivial and, most importantly, may have a dramatic impact," said researchers.