TP-Link says they take security seriously and have international security certifications, but academic researchers found their smart bulb uses weak encryption that can be broken, hard-coded passwords that never change, and messages that can be replayed by attackers. Four separate security flaws were found in a device that just turns lights on and off. When you set up this smart bulb, it creates a temporary Wi-Fi network. Researchers proved that a nearby attacker can pretend to be your bulb during setup and steal your home Wi-Fi password, your Wi-Fi network name, and your TP-Link account login credentials — all because you wanted to connect a light bulb.
What they claim: TP-Link privacy policy states they protect user data and use encryption. Marketing page emphasizes "Your Security and Privacy" as a core value.
What we found: During Wi-Fi AP onboarding, the L530E creates an open access point (Tapo_Bulb_XXXX) that researchers demonstrated can be impersonated. Attack Scenario 6 from SECRYPT 2024 shows an attacker can impersonate the bulb's setup AP, intercept the TSKEP handshake, and extract the victim's Wi-Fi SSID, password, Tapo account email, and Tapo account password in cleartext. A light bulb setup process can expose your entire home network credentials.
What they claim: The Tapo app requests 41 permissions including CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, ACCESS_BACKGROUND_LOCATION, READ_PHONE_STATE, and FOREGROUND_SERVICE_MICROPHONE for a companion app that controls a Wi-Fi light bulb.
What we found: The L530E is a light bulb with a single function: turn on/off and change color/brightness via Wi-Fi. It has no camera, no microphone, no GPS, and no phone capabilities. The Tapo app requires camera access, audio recording, background location tracking, phone state reading, and microphone foreground service — none of which are needed to control a light bulb. The device has only a Wi-Fi radio (no BLE, no Zigbee, no Z-Wave).
What they claim: TP-Link privacy policy states they collect "device configurations including Wi-Fi credentials" and transfer data to "the United States, Ireland, and Singapore, among other Countries."
What we found: The Tapo app requests ACCESS_BACKGROUND_LOCATION and FOREGROUND_SERVICE_LOCATION permissions, enabling continuous location tracking even when the app is not in active use. Combined with the policy's admission of collecting Wi-Fi credentials and device usage patterns, TP-Link can build a detailed profile of when users are home (lights on/off patterns), what rooms they use, and their physical location — all from a light bulb. This data is transferred internationally.
What they claim: The Tapo app requests RECEIVE_BOOT_COMPLETED and multiple FOREGROUND_SERVICE permissions (DATA_SYNC, LOCATION, MICROPHONE), enabling it to start automatically when the phone boots and run background services continuously.
What we found: The CCPA disclosure confirms collection of device usage information, IP addresses, MAC addresses, and IMEI numbers. The app's boot-start and background service permissions enable persistent data collection beyond active app usage. For a light bulb controller, auto-starting on phone boot and maintaining microphone and location foreground services is disproportionate to the device's function.
What they claim: TP-Link privacy policy states data collection is for "providing, personalizing, and improving products." Marketing page claims Tapo "cares about your privacy."
What we found: The Tapo app includes Google Firebase Analytics and Google CrashLytics trackers. It requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and AD_ID permissions — all advertising-related identifiers. For a light bulb app, the presence of ad tracking infrastructure contradicts privacy-first claims. The app also requests BILLING permission indicating in-app purchase capability.
What they claim: TP-Link marketing claims ISO 27001 and ISO 27701 certifications for information security and personal information management systems.
What we found: Despite claiming international privacy management certification (ISO 27701), the Tapo app shares data with advertising services (AD_ID, ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION) and the privacy policy admits sharing data with "marketing partners" using "aggregated, anonymized information." The policy also states data is processed in countries with potentially "different laws" — undermining the ISO 27701 privacy management claim.
What they claim: TP-Link marketing page states "We Care About Your Privacy and Security" and highlights ISO 27001/27701 certifications. Privacy policy claims they "take your privacy seriously" and use "encryption and TLS technology."
What we found: SECRYPT 2024 research (University of Catania / University of London) found the L530E uses weak AES128-CBC encryption with deterministic IV generation (CVE-2023-38909, CVSS 6.5), hard-coded short shared secrets in TSKEP authentication (CVE-2023-38908, CVSS 6.5), and insufficient message freshness allowing replay attacks (CVE-2023-38907, CVSS 7.5). The device was the PRIMARY test subject for this research. Four CVEs assigned to a light bulb.
What they claim: TP-Link privacy policy claims data is protected with "encryption and TLS technology" and staff access is restricted to "minimum necessary personnel."
What we found: TP-Link's own vendor advisory (FAQ 3722) acknowledges CVE-2023-38906, CVE-2023-38908, and CVE-2023-38909 but notably OMITS CVE-2023-38907 — the highest severity vulnerability (CVSS 7.5) allowing message replay attacks. The advisory warns users that "vulnerabilities will remain if you do not take all the recommended actions" and disclaims responsibility. TP-Link selectively disclosed vulnerabilities in their own advisory.
What they claim: Product page markets the L530E as a simple "Smart Wi-Fi Light Bulb" with features like Schedule & Timer, Sunrise & Sunset mode, and voice control. No mention of security risks or data collection.
What we found: The same device was the subject of a peer-reviewed academic paper (SECRYPT 2024) documenting four CVEs and a novel attack that steals Wi-Fi credentials. The product page makes no mention of the security research, the CVEs, the firmware updates needed, or the risk of Wi-Fi credential theft during setup. Product marketing presents the device as a simple convenience product while omitting its documented security history.
What they claim: The L530E connects to 5 hardcoded cloud endpoints across three global regions (EU, US, Asia-Pacific) for a device whose sole function is on/off and color control.
What we found: FCC filing for TE7LM500 certifies the LM500 module for Wi-Fi 802.11 b/g/n only. The device has no local-only control option — it requires cloud connectivity to function via the Tapo app. Five hardcoded endpoints (euw1-api.tplinkcloud.com, use1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com) mean the bulb phones home to TP-Link servers continuously. If TP-Link's cloud goes down, users cannot control their own light bulbs.