OVERKILL
$100 Site Donor 2021
"Reader friendly" article:
This Is How Hackers Can Use Smart Bulbs to Spy on Your Wi-Fi Password (beebom.com)
Actual PDF of the report here:
2308.09019.pdf (arxiv.org)
Effectively, the system is vulnerable to impersonation during setup, which can also be leveraged during a re-pairing:
As noted, there's a vulnerability for the app, but they released an update to remedy that, so nobody should be running that version anymore.
While they did release a firmware update for the bulbs, many of them do not support auto update and have to be updated manually, which most users won't do, meaning many vulnerable units are still in the wild.
Of course it is not the bulb itself that is the ultimately target but rather its connection to your home network. The bulb is simply a means to gain the necessary information due the poor coding and leaky communication.
These sorts of things are why my IoT devices, like my smart thermostat, are not on my primary network.
This Is How Hackers Can Use Smart Bulbs to Spy on Your Wi-Fi Password (beebom.com)
Actual PDF of the report here:
2308.09019.pdf (arxiv.org)
Effectively, the system is vulnerable to impersonation during setup, which can also be leveraged during a re-pairing:
Our exploitation experiments of such vulnerabilities demonstrate that a malicious attacker who stands in proximity of the target smart bulb, hence of the Wi-Fi access point to which the bulb is meant to be connected, can exploit the bulb in various ways.
Vulnerability 1 means that the attacker impersonates the bulb and receives the user’s Tapo credentials as well as the user’s Wi-Fi credentials from the Tapo app. To achieve this, the bulb must be in setup mode, when it exposes its own SSID. Alternatively, if the bulb is already configured and working, then the attacker mounts a simple Wi-Fi deauthentication attack against the bulb and repeats it until the user attempts to setup the bulb again to restore it.
The attacker may also interleave another session: by leveraging the credentials just obtained, he impersonates the user through the setup of the bulb and receives a session key from the device, which he may then relay back to the user. Therefore, the attacker effectively mounts a man-in-the-middle attack. Moreover, during device setup, the Tapo app also releases the Wi-Fi credentials to the attacker, thereby causing a clear escalation of the malicious potential for other attacks requiring local access
As noted, there's a vulnerability for the app, but they released an update to remedy that, so nobody should be running that version anymore.
While they did release a firmware update for the bulbs, many of them do not support auto update and have to be updated manually, which most users won't do, meaning many vulnerable units are still in the wild.
Of course it is not the bulb itself that is the ultimately target but rather its connection to your home network. The bulb is simply a means to gain the necessary information due the poor coding and leaky communication.
These sorts of things are why my IoT devices, like my smart thermostat, are not on my primary network.