Bluetooth Flaw in TP-Link Tapo Devices: When Smart Bulbs Broadcast in Plain Text

A security vulnerability in TP-Link Tapo devices transmits sensitive data unencrypted over Bluetooth during initial setup. Firmware updates are available — but only for those who actively look for them.

What happens when you set up a Tapo device?

Anyone who has set up a new Tapo smart bulb or power strip knows the routine: open the app, hold the device nearby, wait a moment. What happens in the background is less glamorous than the colorful lights on the ceiling. The device and smartphone exchange configuration data over Bluetooth LE — Bluetooth Low Energy, a short-range wireless technology optimized for minimal power consumption — including device settings, authentication parameters, and other setup data.

That is exactly where the problem lies. According to JVN advisory JVN#70631953 (Japan Vulnerability Notes, Japan’s official vulnerability portal operated by JPCERT/CC and IPA), this transmission occurs without encryption on the affected devices. In technical terms, this is classified as CWE-319 – Cleartext Transmission of Sensitive Information: security-critical data travels through the air in readable form instead of being encrypted.

The vulnerability was discovered by eyegrep and izurina of L Plus LLC, who reported their findings to Japan’s IPA through the country’s coordinated disclosure process known as the Information Security Early Warning Partnership. JPCERT/CC then coordinated the disclosure with TP-Link.

Three products, one vulnerability: CVE-2026-34126

TP-Link’s own security advisory identifies the affected devices in detail:

The Tapo L535E smart bulb in hardware versions v3.0 (EU/US) and v1.0 (JP) requires firmware version 1.4.1 Build 251016 Rel.204554 or later. The Tapo P300 v1.0 power strip is patched differently by region: EU requires 1.4.2 Build 251219 Rel.142654, while the Japanese version requires 1.4.0 Build 260416 Rel.014037. The Tapo D100C v1.0 doorbell chime (EU/JP/US) needs firmware 1.3.1 Build 260421 Rel.031658 or later.

The D100C deserves a closer look. It is not sold as a standalone product but ships bundled with several Tapo doorbell camera models: D130, D210, D235, D225, TD21, TDB21, and TD25. Anyone who owns one of these cameras almost certainly has a D100C in their home — and may not even realize it.

What an attacker would actually need to do

The CVSS 4.0 score of 7.3 classifies this as a high-severity vulnerability, but exploitation requires the attacker to be within Bluetooth range during the setup process. Typical Bluetooth LE range runs between 10 and 30 meters depending on the environment. In apartment buildings, office spaces, or retail stores where someone sets up a device out of the box, that is a realistic attack scenario.

Using inexpensive hardware and freely available software, an attacker could record the unencrypted transmission. At minimum, they could obtain configuration data and authentication parameters; in the worst case, they could gain unauthorized control of the device during initialization. Both TP-Link and JPCERT/CC explicitly cite passive eavesdropping as well as man-in-the-middle attacks as viable attack paths — the latter meaning an attacker actively inserts themselves into the communication flow to manipulate transmitted data.

One important caveat: the Bluetooth connection is used exclusively during the initial setup phase. Anyone who has been running their device for months is not continuously exposed. The window reopens only during a factory reset or re-setup.

The update dilemma in consumer IoT

The technical fix is straightforward: apply the firmware update. But that is precisely where the real problem begins. TP-Link provides the patches — and relies entirely on users to apply them. In the Tapo app, users must select the affected device, navigate to settings, and explicitly tap “Firmware Update.” For the D100C, the path is even less obvious: the chime does not appear as a standalone entry in the device list but is managed through the associated camera.

This is not a TP-Link-specific problem. It describes a structural gap in consumer IoT: devices deployed in millions of homes whose security posture depends entirely on whether someone actively checks an app for updates. Smart bulbs are not servers monitored by an IT team. They hang from the ceiling and get forgotten.

Automatic OTA updates — over-the-air firmware delivery without any user action — would be the obvious solution, and the technology to do it exists. But widespread implementation across consumer IoT remains inconsistent. The EU’s Cyber Resilience Act, which will become binding for connected products from late 2027, will require manufacturers to maintain security management across the entire product lifecycle. Until then, the update button in the app remains the only answer.

TP-Link’s growing security advisory list

CVE-2026-34126 does not stand alone. A look at TP-Link’s public security advisory page reveals a long list of recent entries: Archer routers with authentication rate-limiting issues, Tapo cameras with command injection vulnerabilities, power strips with cleartext credential storage. This is not evidence of particular negligence on the manufacturer’s part — TP-Link is far from the only vendor maintaining such a list. What it does illustrate is how broad the attack surface is across mass-market IoT.

For small businesses and home users who buy and operate Tapo devices without any formal security strategy, these disclosures are not abstract CVE numbers. They are concrete risks in concrete power sockets.

What to do now

Anyone who owns a Tapo L535E, P300, or D100C should open the Tapo app and check all listed devices for available firmware updates. Anyone who owns one of the affected doorbell camera models (D130, D210, D235, D225, TD21, TDB21, TD25) should also check the bundled D100C chime — it appears under the camera entry in the settings menu.

As a practical takeaway from the described attack scenario: anyone setting up devices in publicly accessible areas or within range of unknown third parties should ensure firmware is up to date before beginning the setup process.

Compared to remote code execution vulnerabilities or attack vectors over the open internet, the exploitability of this flaw is limited. It requires physical proximity and a narrow window of opportunity. Even so, it illustrates a design principle that is too rarely questioned in the IoT space: the initial setup process is a security-critical moment. It is when devices are most exposed.