Your lightbulbs can be hacked to breach your Wi-Fi network

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

TP-Link’s popular smart lightbulb and its companion mobile app were found to be carrying multiple high-severity flaws which could allow hackers to gain access to the connected Wi-Fi network.

That, in turn, could allow threat actors to access other endpoints on the network, which could give them access to sensitive data, or allow them to deploy different malware and ransomware.

This is according to cybersecurity researchers from the Italian Universita di Catania, and their peers from the University of London. As reported by BleepingComputer, the researchers from these two universities analyzed the "top-selling" TP-Link Tapo L530E and its companion app, which has approximately 10 million installations on Google Play alone.

Four vulnerabilities

In total, the researchers uncovered four vulnerabilities. The first two (severity scores 8.8 and 7.6.) could be chained to impersonate the lightbulb on the network, and thus retrieve the Tapo user account details. This information can then be used to extract the target’s Wi-Fi SSD and password. 

The fourth vulnerability can be used to launch so-called replay attacks, which the attackers can use to make functional changes in the lightbulb.

The researchers said they reached out to TP-Link with their findings, which the company subsequently acknowledged. It also said that it would release a patch soon. Other than that, TP-Link is currently silent on the matter, BleepingComputer concluded. 

Smart devices and home appliances could be a great way to automate some of the more mundane household tasks, but they also present unique security challenges. Cybersecurity researchers agree that these devices should be kept on a separate network and that they should always be up-to-date.

Recently, its was found that many older Canon printers carry a flaw that allow others to access the Wi-Fi SSIDs and passwords stored in their memory. It therefore warned users to make sure to delete all network information prior to discarding or reselling the affected models.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.