Smart light bulbs and IoT security vulnerabilities

October 23, 2023

On our blog, we have already addressed topics related to smart devices in the context of security. To read more about how such devices are not so smart at all, click here. This article further explores the issue of light bulbs vulnerabilities. You’ll also learn, how is it possible that through such a simple device, one can fall victim to hacker attack.

In August 2023, analysts from universities in the UK and Italy jointly published a paper on cryptographic security vulnerabilities in a very well known “smart” light bulb model: Tapo L530E, from TP-Link – one of the best-selling and most popular bulbs of its kind.

Many IoT (Internet of Things) devices, like the aforementioned light bulb, are designed for efficient configuration via Wi-Fi. In this case, all you need to do is screw in the bulb and quickly turn it on and off a few times for the device to enter configuration mode. Consequently, the bulb turns into a temporary Wi-Fi access point, through which, using a phone app, you can set up a home network and amd connect to the cloud, where you can remotely manage the device.

This is where the first vulnerability occurs. A potential attacker can fake an access point and force the user to connect to that network instead of the light bulb’s. It’s possible because the authentication method does not use secure standards. As it turns out, the checksum used in the device’s authentication process is embedded in the bulb’s firmware and it’s easy to obtain after decompilation. What makes matters worse, is that it can be broken by force (known as brute force). Since the key is only 32-bit, it’s not difficult to guess it, considering the current power of computers. The authors of the study say it took them about 140 minutes on average.

Then, according to the setup process, the bulb should receive the user’s Wi-Fi password and login information for the manufacturer’s portal account. This is where another security problem arises. The application does not verify with whom they are exchanging information. Once the connection with the fake access point is made, it’s too late. Put together, these two security vulnerabilities lead to a situation where, an attacker enters user’s network through a fake access point, forces a connection and obtains the network account and password associated with the light bulb. Consequently, an attacker can try credential stuffing methods, that is, use the acquired set of credentials to access other accounts on different systems of the same user. This tactic often proves effective, as many people use the same password for more than one system.

The authors also identified vulnerabilities in the cryptographic algorithm that is used to encrypt communications. An AES-128-CBC cipher is used here, and the way the data is encrypted is not entirely secure and someone very determined would be able to breach these protections as well.

The example of the smart light bulb shows us the risks of deploying IoT devices into current networks and computer systems. Interestingly, this is not the only light bulb model that proved vulnerable to attacks. In 2020, CheckPoint conducted a security analysis of the Phillips Hue light bulb. The device allowed potential attackers to infiltrate user’s network through the ZigBee protocol, which is used to remotely manage IoT devices, among other things. The vulnerability allowed hackers to take control over the bulb and install malware. The vulnerability has been designated as CVE-2020-6007 (Base Score 7.9 – High).

Unfortunately, it is still the case of all sorts of smart equipment and gadgets – not enough attention is paid to security. All we can do is wait for relevant updates from the manufacturer and stay alert while using such devices.



Smart Bulbs can be Hacked to Hack into your Household

Smart light bulbs could give away your password secrets

The Dark Side of Smart Lighting: Check Point Research Shows How Business and Home Networks Can Be Hacked from a Lightbulb

Read also:

Smart home devices hacked… with a laser? – EXATEL | Self-Defined Network

Smart devices aren’t as smart as you might think – EXATEL | Self-Defined Network



Published by: CERT EXATEL

Related articles