Work
"A case of smart devices that compromise home cybersecurity" is the description of a Penetration Testing session on six different IoT devices belonging to the TP-Link Tapo IoT ecosystem. The studied devices are the Tapo L530E, the Tapo P100, the Tapo C200, the Tapo L510E V2, the Tapo L630 and the Tapo L900. During the session we found four vulnerabilities that allow for five exploits. Due to the authentication not being well accounted for and the confidentiality not sufficiently guaranteed by the implemented cryptographic measures, the attacker can operate at will all devices of the Tapo family that the user may have on her Tapo account and learn the victim's Wi-Fi password, thereby escalating their malicious potential considerably.
The tested firmware versions of each device are:
| Device | Vulnerable Version | Fixed Version |
|---|---|---|
| L530E | 1.1.9 | 1.2.4 |
| P100 | 1.4.9 and 1.4.16 | 1.5.0 |
| C200 | 1.1.18 | - |
| L510E V2 | 1.0.8 | 1.1.0 |
| L630 | 1.0.3 | 1.0.4 |
| L900 | 1.0.17 | 1.1.0 |
TP-Link acknowledged the issues we responsibly reported through their Product Security Advisory (PSA). We actively collaborated with them by testing the fixes and confirming that the attack scenarios are no longer exploitable or do not give the attacker any advantage. TP-Link confirmed that they already released the necessary fixes to address the vulnerabilities and that the changes do not affect the normal use and stability of the products.
The vulnerabilities that affect each device are:
| Device | Vulnerability 1 | Vulnerability 2 | Vulnerability 3 | Vulnerability 4 |
|---|---|---|---|---|
| L530E | 🐞 | 🐞 | 🐞 | 🐞 |
| P100 | 🐞 | 🐞 | 🐞 | 🐞 |
| C200 | 🛡️ | 🐞 | 🛡️ | 🛡️ |
| L510E V2 | 🐞 | 🐞 | 🐞 | 🐞 |
| L630 | 🐞 | 🐞 | 🐞 | 🐞 |
| L900 | 🐞 | 🐞 | 🐞 | 🐞 |
🐞 if the vulnerability is present, 🛡️ otherwise.
Exploits
-
Exploit 1.1 - MITM Attack.
The attacker breaches the confidentiality of the session key exchanged between the Tapo device and the Tapo app, by performing a Man-in-the-Middle (MITM) attack. As a result, the integrity and confidentiality of the session's messages are compromised. Following the successful execution of the exploit, both the Tapo app and the Tapo device think they share a session key exclusively with each other. However, unbeknownst to them, they are actually sharing it with the attacker.
-
Exploit 1.2 - Device Impersonation.
The attacker impersonate any Tapo device that utilizes TSKEP through HTTP traffic. As a result, the Tapo app will exchange messages with the attacker as if they were a legitimate Tapo device. Following the successful exploit execution, authentication, confidentiality, and integrity of the session's messages are compromised.
-
Exploit 2.1 - Brute-force of the hard-coded short checksum shared secret.
The attacker, through a brute-force, gets the hard-coded short checksum secret shared between the Tapo app and the Tapo device, which they use when calculating the checksum of UDP messages. Thanks to this shared secret, the attacker can create false \textit{TDDP request} messages to send to Tapo device, and false TDDP response messages to send to the Tapo app.
-
Exploit 2.2 - Reverse Engineering of the tapo App.
The attacker decompiles the Tapo app and perform the reverse engineering of its source code to retrieve the shared secret used by the Tapo app and the Tapo device for calculating the MAC.
-
Exploit 3.1 - Partial Breach of Confidentiality of Messages.
The attacker, by comparing two different ciphertexts from the same communication session between the Tapo app and the Tapo device, can determine if they originate from the same plaintext, from plaintexts that are equal in the initial bytes, or from completely different plaintexts.
-
Exploit 4.1 - Replay Attack against Tapo device.
The attacker exploits the fact that neither the Tapo app nor the device checks the timestamp of received messages in the Replay Attack against Tapo device. Without verifying the freshness or uniqueness of the messages, they simply accept any message encrypted with a session key that remains valid for up to 24 hours. As a result, the attacker can replicate old messages encrypted with a still-valid key.
Vulnerabilities exploitable by target devices for firmware without fixes:
| EX1.1 | EX1.2 | EX2.1 | EX3.1 | EX4.1 | |
|---|---|---|---|---|---|
| L530E | 🐞 | 🐞 | 🐞 | 🐞 | 🐞 |
| P100 | 🐞 | 🐞 | 🐞 | 🐞 | 🐞 |
| C200 | 🛡️ | 🛡️ | 🐞 | 🛡️ | 🛡️ |
| L510E V2 | 🐞 | 🐞 | 🐞 | 🐞 | 🐞 |
| L630 | 🐞 | 🐞 | 🐞 | 🐞 | 🐞 |
| L900 | 🐞 | 🐞 | 🐞 | 🐞 | 🐞 |
🐞 if the vulnerability is exploitable, 🛡️ otherwise.
Responsible Disclosure
Complete Timeline of the Responsible Disclosure Process
-
May 2022: Research on Tapo L530E starts!
-
25th February 2023: We start the responsible disclosure process by reporting all found undesirable behaviors and potential vulnerabilities to TP-Link, via their TP-Link Product Security Advisory. Our report includes the lack of authentication of the smart bulb with the Tapo app, the hard-coded, short shared secret, the lack of randomness during symmetric encryption, and the insufficient message freshness.
-
1st March 2023: First response from TP-Link. TP-Link handled this vulnerability without delay, responded positively to the vulnerability report, and started the validation fix as soon as possible.
-
11th April 2023: After a first review of the report, TP-Link does not object to our decision to submit our research paper to venues for publication.
-
23rd April 2023: "Smart Bulbs can be Hacked to Hack into your Household" paper is accepted to the SECRYPT 2023 conference!
-
16th June 2023: TP-Link has confirmed a valid solution and is releasing new firmware to fix the issue.
-
19th June 2023: Agreed deadline for the disclosure.
-
12th July 2023: Vulnerabilities are disclosed via publication of the "Smart Bulbs can be Hacked to Hack into your Household" paper on SciTePress.
-
July 2023: Research on Tapo P100, and Tapo C200 starts!
-
August 2023: Research on Tapo L510E V2, and Tapo L630 starts!
-
11th October 2023: We report to the TP-Link Product Security Advisory that the vulnerabilites are present also on Tapo P100, Tapo L510E V2, and Tapo L630.
-
5th December 2023: TP-Link confirms the found vulnerabilities for these products as well and releases a fix for all of them.
-
2nd March 2024: "The IoT Breaches Your Household Again" paper is accepted to the SECRYPT 2024 conference!
-
12th March 2024: Agreed deadline for the disclosure of the vulnerabilities on the other devices.
-
May 2024: Research on Tapo L900 starts!
-
June 2024: TP-Link confirms the found vulnerabilities for these product as well and releases a fix for all of them.
-
10th July 2024: Vulnerabilities on other Tapo devices are disclosed via publication of the "The IoT Breaches Your Household Again" paper on SciTePress.
-
January 2025: Our final work "A case of smart devices that compromise home cybersecurity" is published on Volume 151 of Computers & Security journal, by Elsevier.
Publications
Smart Bulbs can be Hacked to Hack into your Household
Smart Bulbs can be Hacked to Hack into your Household was reported by Davide Bonaventura, Sergio Esposito, and Giampaolo Bella. The paper is published in the 20th SECRYPT International Conference on Security and Cryptography (SECRYPT 2023)'s proceedings.
Understanding IoT Security: A Case Study on Smart Bulbs
The IoT Breaches Your Household Again was reported by Davide Bonaventura, Sergio Esposito, and Giampaolo Bella. The paper is published in the 21th SECRYPT International Conference on Security and Cryptography (SECRYPT 2024)'s proceedings.
Cryptographic Challenges in IoT Devices
A case of smart devices that compromise home cybersecurity was reported by Davide Bonaventura, Sergio Esposito, and Giampaolo Bella. This research is published in Volume 151 of Elsevier's Computers & Security journal.
CVE
Common Vulnerabilities and Exposures
CVE Entries assigned to the vulnerabilities described in our papers are the following:
- CVE-2023-38906 - Lack of the Smart Bulb Authentication with the Tapo App
- CVE-2023-38907 - Hard-Coded Short Checksum Shared Secret
- CVE-2023-38908 - Lack of Randomness During Symmetric Encryption
- CVE-2023-38909 - Insufficient Message Freshness
Q&A
Questions and Answers
Most likely. We have tested the attacks using the following devices:
- A smart bulb Tapo series L530 with Firmware Version 1.1.9
- A smart bulb Tapo series L510 with Firmware Version 1.0.8
- A smart bulb Tapo series L630 with Firmware Version 1.0.3
- A smart plug Tapo series P100 with Firmware Versions 1.4.9 and 1.4.16
- A smart camera Tapo series C200 with Firmware Version 1.1.18
- A Tapo application Version 2.8.14
Most likely the attack also works with other versions prior to the versions containing the fix.
All Tapo devices using the described protocol. Vulnerabilities are not implementation-oriented, but design-oriented. This means that all devices using the same protocol used by the tested devices are vulnerable to the described attacks.
Change the password of both your Tapo account and your Wi-Fi network. This allows you to disconnect all devices connected without your consent to your Tapo account or your Wi-Fi network.
Make sure that only devices known to you have access to the Wi-Fi network your smart device is connected to. The attacker can only carry out attacks when they can communicate directly with the smart device.
When you reset your smart device, pay attention to the Wi-Fi network you connect to complete the configuration process. The network you are connected to may be controlled by the attacker and not the network started by your smart device.
Make sure you do not disclose your Tapo ID. The Tapo ID allows your Tapo application to recognize the devices associated with your account. Through it, the attacker can authenticate to your Tapo application as a device associated with it.
We are not aware of the vulnerabilities being exploited in the wild.
Yes. TP-Link has released a new version of both firmware and the application that is resistant to attacks. Make sure you update both.