Link Tapo l530e Smart Bulb Flaws Allow Hackers to Steal User Passwords

Cyber Security Threat Summary:
The TP-Link Tapo L530E smart bulb and its corresponding mobile app are affected by four vulnerabilities, leaving users susceptible to hacking. Researchers from the University of Catania and the University of London have identified these vulnerabilities, which could potentially enable attackers to pilfer users' WiFi passwords. A widely popular smart bulb, TP-Link Tapo L530E, available on various platforms such as Amazon, is impacted. The mobile app, TP-link Tapo, utilized for device control, boasts a significant user base with 10 million installations on the Play Store.

“The first vulnerability is an improper authentication issue on Tapo L503E, an attacker can exploit the issue to impersonate the device during the session key exchange step. The flaw can allow an adjacent attacker to retrieve Tapo user passwords and control Tapo devices. The vulnerability received a CVSS score of 8.8. “Vulnerability 1. Lack of authentication of the smart bulb with the Tapo app, 8.8 CVSS score, High severity. The app does not get any guarantee about the identity of its peer. Therefore, anyone can authenticate to the app and pretend to be the smart bulb.” reads the research paper. The vulnerability can only be exploited if the bulb is in setup mode, when it exposes its SSID. The researchers pointed out that even if it is already connected, the attacker can mount a Wi-Fi deauthentication attack and repeat it until the user resets the bulb. The second flaw is related to the use, by the smart bulb and the Tapo app, of a hardcoded, short shared secret exposed by code fragments. The flaw received a CVSS score of 7.6. The third issue is a lack of randomness during symmetric encryption, the initialization vectors (IVs) used by the Tapo app and the smart bulb are static, and each communication session uses a single, fixed IV for each message. The flaw received a CVSS score of 4.6. The fourth vulnerability is caused by insufficient message freshness by both the app and the smart bulb. The attackers can also conduct a different attack, they can use the recently acquired credentials to mimic the user while configuring the light bulb. Using this trick the attacker can obtain a session key from the device, which can then be transmitted back to the user. As a result, the attacker successfully executes a man-in-the-middle attack. Furthermore, during the device setup process, the Tapo app inadvertently exposes Wi-Fi credentials to the attacker, significantly heightening the potential for malicious activities that rely on local access” (SecurityAffairs, 2023).

Additionally, the threat actors possess the capability to carry out an alternative attack strategy. By leveraging the recently obtained credentials, they can imitate the user while configuring the light bulb. This manipulation enables the attacker to procure a session key from the device, which can subsequently be transmitted back to the user. This sequence of events facilitates the successful execution of a man-in-the-middle attack.

Security Officer Comments:
Moreover, during the device setup process, the Tapo app unintentionally exposes Wi-Fi credentials to the attacker. This inadvertent exposure significantly amplifies the potential for malicious actions dependent on local access. When exploiting the fourth vulnerability, the attacker can be certain that any replayed message will be accepted by the smart bulb, creating an environment conducive to launching a Denial-of-Service attack. Other vulnerabilities can potentially let a hacker access the key utilized by both the app and smart bulb for authentication and ensuring message integrity. This access empowers the attacker to tamper with the authentication process. The researchers communicated their discoveries to TP-Link using the company's vulnerability reporting initiative. The vendor has initiated efforts to rectify these vulnerabilities.

Suggested Correction(s):

Fix for Vulnerability 1:
This vulnerability is the most complex and dangerous. It is not easy to find a simple fix to it because the protocol should be widely revised. Our proposed fix requires the smart bulb to sign the message of AES key transmission with an asymmetric, private key. The validity of that key as to belong to the bulb could be verified by the app via a digital certificate to retrieve from the Cloud Server during the association of the bulb with the app. Of course, such a certificate should chain up to a root certificate to be securely stored with the app. All this would allow the app to get evidence about the authenticity of the response, i.e., that the response really comes from the smart bulb. In consequence, the app will eventually store all certificates of the associated devices.

Fix for Vulnerability 2.:
One possible solution to fix this vulnerability is the active presence of the cloud server. This entity should periodically assign each Tapo account afresh key to use when calculating the checksum within Bulb Discovery messages. The key assigned to a Tapo account should then be communicated to all devices associated with it. The benefits of the fix can be summarized as follows:

      The key is not hard-coded, so the attacker would no longer be able to get it by decompiling the Tapo app or the firmware of a Tapo device.
        Each account has its own key, therefore, compromising a Tapo account, or a key, would not result in compromising the keys of other Tapo accounts.
          The key should be long and random enough by current standards so that brute-force attacks would not be profitable anymore.
            The key is always fresh, so even if an attacker were to get the key of a Tapo account, the latter would not be compromised forever, but only until the validity of the stolen key expires and the cloud server assigns a new key to it. It would also be useful to use a collision-resistant cryptographic hash function for the checksum. Examples of cryptographic hash functions are SHA-224 or SHA3-224.
          Fix for Vulnerability 3: This vulnerability can be fixed by making the IV dynamic, i.e., using different IVs to encrypt different messages. This should be done by both the Tapo app and the Tapo L530E. The IV used to encrypt the JSON contained in the params field could then be included as a field in the plain part of JSON contained in Bulb-App communications.

          Fix for Vulnerability 4.: T