Tapo (TP-Link) Smart Bulbs and apps can be hacked to compromise your home network

[OVERKILL]

"Reader friendly" article:
This Is How Hackers Can Use Smart Bulbs to Spy on Your Wi-Fi Password (beebom.com)

Actual PDF of the report here:
2308.09019.pdf (arxiv.org)

Effectively, the system is vulnerable to impersonation during setup, which can also be leveraged during a re-pairing:

Our exploitation experiments of such vulnerabilities demonstrate that a malicious attacker who stands in proximity of the target smart bulb, hence of the Wi-Fi access point to which the bulb is meant to be connected, can exploit the bulb in various ways.

Vulnerability 1 means that the attacker impersonates the bulb and receives the user’s Tapo credentials as well as the user’s Wi-Fi credentials from the Tapo app. To achieve this, the bulb must be in setup mode, when it exposes its own SSID. Alternatively, if the bulb is already configured and working, then the attacker mounts a simple Wi-Fi deauthentication attack against the bulb and repeats it until the user attempts to setup the bulb again to restore it.

The attacker may also interleave another session: by leveraging the credentials just obtained, he impersonates the user through the setup of the bulb and receives a session key from the device, which he may then relay back to the user. Therefore, the attacker effectively mounts a man-in-the-middle attack. Moreover, during device setup, the Tapo app also releases the Wi-Fi credentials to the attacker, thereby causing a clear escalation of the malicious potential for other attacks requiring local access

As noted, there's a vulnerability for the app, but they released an update to remedy that, so nobody should be running that version anymore.

While they did release a firmware update for the bulbs, many of them do not support auto update and have to be updated manually, which most users won't do, meaning many vulnerable units are still in the wild.

Of course it is not the bulb itself that is the ultimately target but rather its connection to your home network. The bulb is simply a means to gain the necessary information due the poor coding and leaky communication.


These sorts of things are why my IoT devices, like my smart thermostat, are not on my primary network.

 

[Rand]

Yikes,
so if you dont want to use VLANs(or they arent supported)

you could setup a separate wifi network and turn on client isolation?
or put them on your "guest" network?

 

[OVERKILL]

Yikes,
so if you dont want to use VLANs(or they arent supported)

you could setup a separate wifi network and turn on client isolation?
or put them on your "guest" network?

Yep, pretty much.

 

[haggler]

I long avoided these types of devices, but they have become a necessary convenience.
Separate VLAN + SSID for all IOT with appropriate firewall rules in place. This doesn't stop botnet activity but without DPI or an IDS it still protects your LAN.

 

[Pew]

The hacker after they capture my internet traffic:

 

[JHZR2]

These sorts of things are why my IoT devices, like my smart thermostat, are not on my primary network.

So what does this mean to the layperson?

Have one main connection, which has one outward facing IP address, but two completely separate routers and networks?

One main connection to the outside world split to two internal IP addresses?

 

[OVERKILL]

So what does this mean to the layperson?

Have one main connection, which has one outward facing IP address, but two completely separate routers and networks?

One main connection to the outside world split to two internal IP addresses?

Have one wireless network for your trusted devices, have another for your untrusted ones, ideally with client isolation enabled so they can't talk to each other. It's fine if they share the same internet connection.

So, say you had two wireless networks:
1. Home LAN which is your trusted network that your laptop connects to, subnet is 10.10.10.0/24
2. Home IoT which is an untrusted network that your thermostat and smart crap is connected to, subnet is 172.21.0.0/24

You'd enable client isolation on #2, maybe restrict the hell out of what devices on it can access, do geoblocking if you are able...etc.
You'd ensure that VLAN1 can't access VLAN2 and vice-versa.

There are different ways of achieving this with different types of equipment. The Aruba access point you have, it has a "guest" network function that creates its own separate subnet, IIRC, client isolation is on by default and it just routes through the primary gateway, so you don't need to setup VLAN's on your firewall.

 

[OVERKILL]

OK, this had me laughing hard this AM. I was doing some "retro phone pics" and so fired up an old Blackberry and look what it sees in one of the neighbouring houses:

 

[nate379]

OK, this had me laughing hard this AM. I was doing some "retro phone pics" and so fired up an old Blackberry and look what it sees in one of the neighbouring houses:
View attachment 211408

What's funny?

 

[terry274]

The TP_Link smart plug has an open wifi, no password needed.

 

[OVERKILL]

The TP_Link smart plug has an open wifi, no password needed.

Yep, exactly, hahhahh

 

[terry274]

To be fair to TP_Link, your neighbor is doing something wrong or was in the process of setting up the plug when you scanned for WiFi. Once the plug is set up, it won't continue to broadcast. Or, it's been compromised and hijacked

 

[OVERKILL]

To be fair to TP_Link, your neighbor is doing something wrong or was in the process of setting up the plug when you scanned for WiFi. Once the plug is set up, it won't continue to broadcast. Or, it's been compromised and hijacked

For sure, I just saw it and immediately thought of this thread, lol.

Edit: It's still showing up, so I'm going to assume that it's not just in the process of being setup

 

[terry274]

Huh...did you try connecting to it? Maybe turn a light on and off?

 

[OVERKILL]

Huh...did you try connecting to it? Maybe turn a light on and off?

I try not to be "that guy". I'll probably pop over to the neighbour's and mention it to them if it stays in this state.