Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The IoT Breaches your Household Again

Davide Bonaventura, Sergio Esposito, Giampaolo Bella

TL;DR

<3-5 sentence high-level summary> Demonstrates that Tp-Link Tapo smart devices share attack surfaces via common protocols, enabling cross-device exploitation. The study introduces a new Attack Scenario 6 and a rogue Setup D configuration to reveal credential and network data exfiltration risks from unconfigured devices, validated across L530E, L510E V2, L630, P100, and C200. Findings show full exploitability on several bulbs before fixes, while vendor patches restrict most attack scenarios and reduce overall risk, with only negligible residual exposure. The work highlights ecosystem-wide security implications for IoT devices, the importance of responsible disclosure, and the need for robust, cross-device mitigations in smart home ecosystems.

Abstract

Despite their apparent simplicity, devices like smart light bulbs and electrical plugs are often perceived as exempt from rigorous security measures. However, this paper challenges this misconception, uncovering how vulnerabilities in these seemingly innocuous devices can expose users to significant risks. This paper extends the findings outlined in previous work, introducing a novel attack scenario. This new attack allows malicious actors to obtain sensitive credentials, including the victim's Tapo account email and password, as well as the SSID and password of her local network. Furthermore, we demonstrate how these findings can be replicated, either partially or fully, across other smart devices within the same IoT ecosystem, specifically those manufactured by Tp-Link. Our investigation focused on the Tp-Link Tapo range, encompassing smart bulbs (Tapo L530E, Tapo L510E V2, and Tapo L630), a smart plug (Tapo P100), and a smart camera (Tapo C200). Utilizing similar communication protocols, or slight variants thereof, we found that the Tapo L530E, Tapo L510E V2, and Tapo L630 are susceptible to complete exploitation of all attack scenarios, including the newly identified one. Conversely, the Tapo P100 and Tapo C200 exhibit vulnerabilities to only a subset of attack scenarios. In conclusion, by highlighting these vulnerabilities and their potential impact, we aim to raise awareness and encourage proactive steps towards mitigating security risks in smart device deployment.

The IoT Breaches your Household Again

TL;DR

<3-5 sentence high-level summary> Demonstrates that Tp-Link Tapo smart devices share attack surfaces via common protocols, enabling cross-device exploitation. The study introduces a new Attack Scenario 6 and a rogue Setup D configuration to reveal credential and network data exfiltration risks from unconfigured devices, validated across L530E, L510E V2, L630, P100, and C200. Findings show full exploitability on several bulbs before fixes, while vendor patches restrict most attack scenarios and reduce overall risk, with only negligible residual exposure. The work highlights ecosystem-wide security implications for IoT devices, the importance of responsible disclosure, and the need for robust, cross-device mitigations in smart home ecosystems.

Abstract

Despite their apparent simplicity, devices like smart light bulbs and electrical plugs are often perceived as exempt from rigorous security measures. However, this paper challenges this misconception, uncovering how vulnerabilities in these seemingly innocuous devices can expose users to significant risks. This paper extends the findings outlined in previous work, introducing a novel attack scenario. This new attack allows malicious actors to obtain sensitive credentials, including the victim's Tapo account email and password, as well as the SSID and password of her local network. Furthermore, we demonstrate how these findings can be replicated, either partially or fully, across other smart devices within the same IoT ecosystem, specifically those manufactured by Tp-Link. Our investigation focused on the Tp-Link Tapo range, encompassing smart bulbs (Tapo L530E, Tapo L510E V2, and Tapo L630), a smart plug (Tapo P100), and a smart camera (Tapo C200). Utilizing similar communication protocols, or slight variants thereof, we found that the Tapo L530E, Tapo L510E V2, and Tapo L630 are susceptible to complete exploitation of all attack scenarios, including the newly identified one. Conversely, the Tapo P100 and Tapo C200 exhibit vulnerabilities to only a subset of attack scenarios. In conclusion, by highlighting these vulnerabilities and their potential impact, we aim to raise awareness and encourage proactive steps towards mitigating security risks in smart device deployment.
Paper Structure (18 sections, 2 figures, 5 tables)

This paper contains 18 sections, 2 figures, 5 tables.

Table of Contents

  1. INTRODUCTION
  2. Contributions
  3. Ethics and Responsible Disclosure
  4. Paper Summary
  5. RELATED WORK
  6. Previous Attacks on Tapo Bulbs
  7. BREACHING THE HOUSEHOLD AGAIN
  8. Setup D
  9. Attack Scenario 6
  10. IMPACT ON TARGET DEVICES
  11. Firmware Without Fixes
  12. Tp-Link Tapo Smart Wi-Fi Light device, Multicolor (L530E)
  13. Tp-Link Tapo Smart Wi-Fi Light Bulb, Dimmable (L510E V2)
  14. Tp-Link Tapo Smart Wi-Fi Spotlight, Multicolor (L630)
  15. Tp-Link Tapo Mini Smart Wi-Fi Socket (P100)
  16. ...and 3 more sections

Figures (2)

  • Figure 1: Setup D, network with a non-configured device.
  • Figure 2: Sequence chart for the attack scenario 6.