These smart bulbs can be hacked to steal your Wi-Fi password — what you need to know

A man controlling smart lights with his smartphone
(Image credit: Shutterstock)

Flicking light switches on and off is something you’ll never have to worry about with the best smart lights installed in your home. However, just like other smart home devices, they can be targeted and attacked by hackers.

TP-Link’s Tapo smart light bulbs are incredibly popular and part of the reason for this is that they’re significantly less expensive than Philips Hue lights. However, new research has discovered several vulnerabilities in the bulbs themselves as well as in the Tapo app that can be exploited by hackers to steal the Wi-Fi password to your home network.

As reported by BleepingComputer, researchers from the University of Catania in Italy and the University of London in the UK have published a new paper (PDF) revealing how TP-Link’s smart light bulbs can be hacked to gain access to your home Wi-Fi. 

It’s worth noting that the researchers’ aim was to shed light on the security weaknesses that exist in billions of smart IoT devices used in homes worldwide. The reason they picked TP-Link’s Tapo smart bulbs to analyze though was due to their popularity.

Tapo smart bulb flaws

In total, the researchers found four vulnerabilities in TP-Link’s Tapo smart bulbs and its Tapo app ranging from high to medium severity flaws.

The first vulnerability, which has a CVSS v3.1 score of 8.8 and has been deemed high-severity, involves improper authentication on the Tapo L530E smart bulb. If exploited, it can allow an attacker to impersonate the device during the session key exchange step. At the same time though, an adjacent attacker can use it to retrieve Tapo user passwords and manipulate Tapo devices.

The second vulnerability is a high-severity flaw as well with a CVSS v3.1 score of 7.6 that is attributed to a hard-coded short checksum shared secret that attackers can obtain by either brute-forcing or by decompiling the Tapo app. 

The third vulnerability is a medium-severity flaw that concerns the lack of randomness during symmetric encryption that makes the cryptographic scheme used in Tapo smart bulbs predictable. Finally, the fourth vulnerability keeps session keys valid for 24 hours due to a lack of checks for the freshness of received messages. During this time period, an attacker could replay these messages.

A Wi-Fi router on a windowsill

(Image credit: Shutterstock)

By exploiting the first and second vulnerabilities, an attacker could impersonate a Tapo bulb and retrieve a user’s account details from within the Tapo app. From here, they could then extract the SSID and Wi-Fi password from a user’s home network which could allow them to gain access to all of the devices connected to it. While a Tapo smart bulb needs to be in setup mode to pull off this attack, they could deauthenticate the bulb itself which would then force the user to set it up again.

Fortunately for owners of Tapo smart bulbs, TP-Link is aware of these vulnerabilities and the company has already taken steps to remedy them. In an email to Tom’s Guide, a TP-Link spokesperson provided further insight on what has been fixed so far and the other solutions that are in the works, saying:

“In June, the editor Bill contacted us, and we immediately upgraded the app. Currently, the app has been fully released as the latest version without any vulnerabilities. Furthermore, regarding the issue with L530E, Problem 1 has been properly resolved. The resolution for other Problems 2, 3, and 4 is also in progress and a new firmware will be released tomorrow which will solve all the remaining issues.”

How to keep your smart home safe from hackers

A picture showing a person controlling their smart home devices with their phone

(Image credit: Shutterstock)

 If you already have a smart home or plan on building out your own DIY smart home, there are a couple of tips and tricks you can use to keep your smart home devices as well as the other devices on your home network safe from hackers.

For starters, it’s always a good idea to keep your smart home devices isolated from the other devices on your network. Many of the best Wi-Fi routers and the best mesh Wi-Fi systems give you the option to create a separate network just for your smart home devices. However, if your Wi-Fi router doesn’t, you can always create a guest network to achieve the same thing.

For instance, I personally use the TP-Link Deco XE75 for my own home network and like other mesh routers, it combines the 2.4, 5 and 6 GHz bands into a single network. As many smart home devices only work on the 2.4 GHz band, I used the Deco app to create a guest network on the 2.4 GHz band which I keep my smart home devices connected to.

Just like with your laptop and smartphone, you want to ensure that you’re keeping all of your smart home devices up-to-date by installing the latest firmware as soon as it becomes available. Likewise, you also want to enable two factor authentication (2FA) in a smart home device maker’s app if it’s available.

Finally, in the same way that you secure all of your online accounts with a strong password, you want to do the same thing for your smart home devices and their respective apps. One of the best password managers can make this easier as they generate strong passwords for you which you can then use autofill to enter when it comes time to login.

IoT and smart home devices have a reputation for being vulnerable to hackers as many manufacturers don’t update and patch them accordingly. However, in this case, TP-Link has already taken steps to fix these flaws so that they can’t be exploited by hackers in the wild.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.