Cybersecurity researchers have discovered 4 security flaws affecting a famous connected light bulb model. By exploiting them, hackers can easily recover your Wi-Fi network password.
Let there be light ! Or the color blue, or the music. Connected bulbs have been part of the daily life of some for years. In addition to allow remote lighting controlby choosing the intensity or the shade, they can also broadcast sound depending on the models. But who says connected object says potential security breach. After all, even our printers are not immune to hackers. Italian cybersecurity researchers have studied a widespread connected bulb model as well as its associated application. The conclusions are not reassuring.
The teams discovered no less than 4 loopholes hackers can get into. The first is the most serious, with a criticality score of 8.8 out of 10. Coupled with the second, it allows the hacker to pretend to be the light bulb connected to the network, and so recover the identifiers of its ownerof which WiFi password. The fourth allows the intruder to control the behavior of the bulb themselves. We are talking here about the Tapo L530E from TP-Link, one of the best-selling brands and one of the most used in the world. The companion app has been downloaded 10 million times on the Play Store.
Hackers can infiltrate smart light bulb known to steal Wi-Fi passwords
It is easy to understand why the breaches identified are dangerous. By retrieving the SSID (name) of the Wi-Fi network and the associated password, the hacker has access to all the devices connected to it. To be vulnerable, the bulb must be in configuration mode. Except that it is possible for a malicious person to force reset device remotely. The victim is then forced to launch the configuration process and therefore toopen the door to other attacks.
The research team notified TP-Link. The company has acknowledged the problems and ensures that a fix is on the way, without giving further details. In the meantime, if you own the Tapo L530E, make sure the bulb app and firmware are at day.
Source: Bleeping Computer