While they are supposed to make indoor life easier, some connected light bulbs are perfect little accomplices for hackers. A team of researchers has shed light on the vulnerabilities of a very popular model on the market.
Connected objects have grown in popularity in homes in recent years: household appliances, thermostats, cameras or lights, innovations have greatly accelerated. The problem is that their connection to the Wi-Fi network necessarily makes them vulnerable to hacking. Recently, researchers from the University of London and the Universita di Catania looked into the case of the TP-Link Tapo L530E connected light bulb and the application associated with it. This popular model could actually leak your passwords.
Significant flaws behind an innocuous appearance
It is precisely because it is so widespread in homes that these researchers decided to analyze its safety. The result is not really satisfactory, since their small investigation concluded that at least four vulnerabilities are exploitable in this bulb. All are related to insufficient security measures.
The most important, rated high risk (a severity score of 8.8/10) allows potential attackers to impersonate the light bulb when a session key exchange takes place. It is a process that normally ensures that the various communications between the bulb and the controlling device (smartphone or tablet for example) are secure. In the case of this bulb, this process is apparently not robust enough.
The second flaw, also classified as high risk (7.6/10) is due to the weakness of the verification code used by the bulb. Hackers can then decrypt it very easily, which would give them several possibilities: control the bulb (day, night, day, etc.), monitor its hours of use or use it to organize an attack on other connected devices. to the home network. As for the other two vulnerabilities, they are less important but remain relatively annoying. The light bulb cipher lacks random characters and there is twenty-four hour access to messages passing through the light bulb, making it easy for hackers to gain access.
Is it serious doctor ?
The fault considered to be the most risky can indeed cause concern. If the bulb’s identity is compromised on the network, it’s entirely possible for hackers to gain access to sensitive information. Let’s imagine that the password of your Wi-Fi network is in their hands, then it is easy for them to access the data of all the devices connected to it. It’s quite worrying, but for this the bulb must be in “Configuration” mode, which reduces the chances of an attack a little. On the other hand, sufficiently seasoned hackers could circumvent this defense by simply disabling the authentication of the light bulb.
The company TP-Link has been notified by the researchers and has promised that a future firmware update for the bulb model will arrive soon. The ideal way to protect against this type of attack is to use multi-factor authentication as soon as an application or object offers this possibility. This does not completely eliminate the risk, but greatly reduces it.
Source : Digital Trends
7