IoT can be Hacked to Hack into your Household

After conducting a Penetration Testing session across multiple devices within the TP-Link Tapo IoT ecosystem, we identified four vulnerabilities enabling five different potential attacks

Work

"IoT can be Hacked to Hack into your Household" is the description of a Penetration Testing session on five different IoT devices belonging the TP-Link Tapo IoT ecosystem. The studied device are the Tapo L530E, the Tapo L510E V2, the Tapo L630, the Tapo C200, and the Tapo P100. During the session we found four vulnerabilities that allow to perform five attacks. Due to the authentication not well accounted for and the confidentiality not sufficiently guaranteed by the implemented cryptographic measures, the attacker can operate at will all devices of the Tapo family that the user may have on her Tapo account and learn the victim's Wi-Fi password, thereby escalating his malicious potential considerably.

The tested firmware's versions of each device are:

Vulnerable version Fixed version
L530E 1.1.9 1.2.4
L510E 1.0.8 1.1.0
L630 1.0.3 1.0.4
P100 1.4.9 and 1.4.16 1.5.0
C200 1.1.18 -

Tp-Link acknowledged the issues we responsibly reported through their Product Security Advisory (PSA). We actively collaborated with them, by testing the fixes and confirming the attack scenarios are no longer exploitable or do not give the attacker any advantage. Tp-Link confirmed that they already released the necessary fixes to address the vulnerabilities and that the changes do not affect the normal use and stability of the products.

The vulnerabilites that affect each device are:

Vulnerability 1 Vulnerability 2 Vulnerability 3 Vulnerability 4
L530E 🐞 🐞 🐞 🐞
L510E 🐞 🐞 🐞 🐞
L630 🐞 🐞 🐞 🐞
P100 🐞 🐞 🐞 🐞
C200 🛡️ 🐞 🛡️ 🛡️
🐞 if the vulnerability is present, 🛡️ otherwise.

Attacks

  • Attack scenario 1 - Fake Device Discovery messages generation.

    The attacker discovers the secret used by the smart device and Tapo application to authenticate discovery messages from compatible devices connected to the network, so he can authenticate fake messages.

  • Attack scenario 2 - Password exfiltration from Tapo user account.

    The attacker authenticates himself as the smart device with the Tapo application, so he can obtain the credentials used by the Tapo application with the smart device. The attacker can obtain the password and email hash of the victim's Tapo account.

  • Attack scenario 3 - MITM attack with a configured Tapo device.

    The attacker performs a MITM attack on the communication between the smart device and the Tapo application, so he is able to violate the confidentiality of all messages belonging to the communication.

  • Attack scenario 4 - Replay attack with the Tapo device as victim.

    The attacker replicates old messages to both the smart device and the Tapo application, so he can arbitrarily change the state of the smart device.

  • Attack scenario 5 - MITM attack with an unconfigured Tapo device.

    The attacker performs a Wi-Fi deauthentication attack in order to force the user to reset the smart device, so he can perform a MITM attack and obtain the SSID and password of the victim's local network and the credentials used by the victim to authenticate with the Tapo application. The credentials consist of the victim's Tapo account email and password.

Attack Scenario 1 Attack Scenario 2 Attack Scenario 3 Attack Scenario 4 Attack Scenario 5
L530E
L510E
L630
P100 🚫
C200
✅ if the attack scenario is feasible on the target device, ❌ if the attack scenario is not feasible because the communication is encapsulated within a TLS channel, 🚫 if the attack scenario is not feasible because the configuration is done on the Bluetooth channel.

Responsible Disclosure

Complete Timeline of the Responsible Disclosure Process

  • June 2022 Research on Tapo L530E starts!

  • 25th February 2023 We start the responsible disclosure process by reporting all found undesirable behaviours and potential vulnerabilities to TP-Link, via their TP-Link Product Security Advisory. Our report includes the lack of authentication of the smart bulb with the Tapo app, the hard-coded, short shared secret, the lack of randomness during symmetric encryption, the insufficient message freshness.

  • 1st March 2023 First response from TP-Link. TP-Link handled this vulnerability without delay, responded positively to the vulnerability report, and started the validation fix as soon as possible.

  • 11th April 2023 After a first review of the report, TP-Link does not object to our decision to submit our research paper to venues for publication.

  • 23rd April 2023 "Smart Bulbs can be Hacked to Hack into your Household" paper is accepted to the SECRYPT 2023 conference!

  • 16th June 2023 TP-Link has confirmed a valid solution and is releasing new firmwares to fix the issue.

  • 19th June 2023 Agreed deadline for the disclosure.

  • 12th July 2023 Vulnerability is disclosed via publication of a paper on SciTePress.

  • September 2023 Research on Tapo L510E, Tapo L630, Tapo P100 and Tapo C200 starts!

  • 11th October 2023 We report the found vulnerabilities to the TP-Link Product Security Advisory.

  • 5th December 2023 TP-Link confirms the found vulnerabilities for these products as well, and releases a fix for all of them.

  • 12th March 2024 Agreed deadline for the disclosure of the vulnerabilites on the other devices.

Paper

Smart Bulbs can be Hacked to Hack into your Household

Smart Bulbs can be Hacked to Hack into your Household was reported by Davide Bonaventura (Università degli Studi di Catania), Sergio Esposito (Royal Holloway University of London) and Giampaolo Bella (Università degli Studi di Catania). The paper is published on the 20th SECRYPT International Conference on Security and Cryptography (SECRYPT 2023)'s proceedings.

Davide Bonaventura

Master Student at Università degli Studi di Catania

Visit linkedin
Sergio Esposito

PhD Student at Royal Holloway University of London

Visit homepage
Giampaolo Bella

Associate Professor (with Italian MIUR habilitation as Full Professor) at Università degli Studi di Catania

Visit homepage

CVE

Common Vulnerabilities and Exposures

CVE Entries assigned to the vulnerabilities described in our paper, Smart Bulbs can be Hacked to Hack into your Household, are the following:

Q&A

Questions and Answers

Most likely. We have tested the attacks using the following devices:
  • A smart bulb Tapo series L530 with Firmware Version 1.1.9
  • A smart bulb Tapo series L510 with Firmware Version 1.0.8
  • A smart bulb Tapo series L630 with Firmware Version 1.0.3
  • A smart plug Tapo series L630 with Firmware Version 1.4.9 and 1.4.16
  • A smart camera Tapo series L630 with Firmware Version 1.1.18
  • A Tapo application Version 2.8.14
Most likely the attack also works with other versions prior to the versions containing the fix.

All Tapo devices using the described protocol. Vulnerabilities are not implementation-oriented, but design-oriented. This means that all devices using the same protocol used by the tested devices are vulnerable to the described attacks.

Change the password of both your Tapo account and your Wi-Fi network. This allows you to disconnect all devices connected without your consent to your Tapo account or/and your Wi-Fi network.

Make sure that only devices known to you have access to the Wi-Fi network your smart device is connected to. The attacker can only carry out attacks when he is able to communicate directly with the smart device.
When you reset your smart device, pay attention to the Wi-Fi network you connect to complete the configuration process. The network you are connected to may be controlled by the attacker and not the network started by your smart device.
Make sure you do not disclose your tapoId. The tapoId allows your Tapo application to recognize the devices associated with your account. The attacker through it is able to authenticate to your Tapo application as a device associated with it.

We are not aware of the vulnerabilites being exploited in the wild.

Yes. TP-Link has released a new version both of firmwares and application that is attacks resistant. Make sure you update both.