Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen Alejandro86 for the clue delivery! CTOnews.com, August 22 (Xinhua) Italian and British researchers have discovered four vulnerabilities in the TP-Link Tapo L530E smart light bulb and TP-Link Tapo application that can be used by hackers to steal the target's WiFi password. The related paper has been published on ArXiv.

It is reported that the TP-Link Tapo L530E is a best-selling smart light bulb in Amazon's overseas market. After inquiry, CTOnews.com learned that the price of the two bulbs is $24.99. in the United States, Amazon has a rating of 4.1 out of 5, with 4185 reviews.

The content of the vulnerability introduced by ▲ image source Amazon American researchers is as follows:

The first vulnerability involves incorrect authentication on Tapo L503E, which allows hackers to impersonate devices in the session key exchange step. This high severity vulnerability (CVSS v3.1 score: 8.8) allows neighboring attackers to retrieve Tapo user passwords and manipulate Tapo devices.

The second vulnerability is also a high severity vulnerability (CVSS v3.1 score: 7.6), caused by a hard-coded short checksum shared secret that hackers can obtain through brute force cracking or decompilation of Tapo applications.

The third vulnerability is a moderate severity flaw, which involves a lack of randomness in the symmetric encryption process, which makes the encryption scheme predictable.

The fourth vulnerability is due to the lack of checking the freshness of the received message, keeping the session key valid for 24 hours and allowing the attacker to replay the message during this period.

▲ source bleepingcomputer researchers disclosed these vulnerabilities to TP-Link, who acknowledged the problems and told them that the application and light bulb firmware would be fixed soon.

Prior to this, the researchers recommended that users isolate these types of devices from critical networks, use the latest available firmware updates and accompanying application versions, and protect accounts with secondary authentication and strong passwords.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.