_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
HTML Visit Hacker News on the Web
COMMENT PAGE FOR:
HTML TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy
magmostafa wrote 16 min ago:
This is exactly why network segmentation is critical for IoT devices. I
always recommend putting all smart cameras and IoT devices on a
separate VLAN with no direct internet access - only local network
access through a firewall with strict egress rules.
For anyone concerned about their TP-Link cameras, consider:
1. Disable UPnP on your router
2. Use VLANs to isolate IoT devices
3. Block all outbound traffic except specific required endpoints
4. Consider replacing stock firmware with open alternatives when
available
5. Regularly check for firmware updates (though as this article shows,
updates can be slow)
The hardcoded keys issue is particularly troubling because it means
these vulnerabilities persist across the entire product line. Thanks
for the detailed writeup - this kind of research is invaluable for the
security community.
realcul wrote 9 min ago:
do you happen to have a guide on how to achieve this - I am fairly
technical but still configuring Vlans and moving devices there would
be good with some step by step instructions.
VladVladikoff wrote 37 min ago:
>25000 devices exposed directly
How does this happen? Doesnât pretty much every ISP give a router
with their modem? How do people manage this?
tamimio wrote 1 hour 49 min ago:
Great article. I have the same model and few months ago I did notice it
was restarting in a non-scheduled time, and you can tell it restarts
because it does a full rotation. First time it happened I ignored it
but the second time I knew something was up so I disconnected it and
since then been offline, it was recording an insignificant thing
anyway.
syntaxing wrote 2 hours 10 min ago:
This is why all my cameras internal or external live on an isolated
VLAN with no internet access. Itâs nice because HomeKit can still
talk to them and I can see it online or locally without an additional
app even though the camera themselves has no internet access .
tehlike wrote 2 hours 32 min ago:
Thingino supports C200
HTML [1]: https://thingino.com/#:~:text=SC3336%2C%20WQ9001%2C%208MB-,TP%...
c0l0 wrote 2 hours 22 min ago:
I came here to post this, too :) What the thingino community managed
to do with their firmware for these cameras is nothing short of
amazing - if you happen to have a compatible camera, you really,
really should give it a whirl!
rescbr wrote 48 min ago:
Oh, this is great! I do have this exact camera and another one
thatâs on the list!
Iâm more than happy to ditch the scrappy RTSP setup that I have
to support these cheap cameras!
nine_k wrote 2 hours 36 min ago:
I more and more tend to not buy any network-connected product if
there's no open-source firmware to run on it.
(Phones is one notable exception. I need contactless payments to work.)
tehlike wrote 1 hour 51 min ago:
Good thing some tapos do have alternative firmware like thingino.
mindslight wrote 2 hours 26 min ago:
If you call up your contactless payment provider, most will send you
a physical device that will do contactless payments on its own, for
free even. You can tape it to the back of your phone, or anywhere
else for that matter.
chatmasta wrote 1 hour 41 min ago:
Also, your phone doesnât need to be connected to the internet for
contactless payments, anyway.
rao-v wrote 2 hours 39 min ago:
I'm a little frustrated with articles like this that scattershot their
critique by conflating genuine failures with problems that even FAANGs
struggle with.
In particular, I don't love it when an article attacks a best practice
as a cheap gotcha:
"and this time it was super easy! After some basic reversing of the
Tapo Android app, I found out that TP-Link have their entire firmware
repository in an open S3 bucket. No authentication required. So, you
can list and download every version of every firmware theyâve ever
released for any device they ever produced"
That is a good thing - don't encourage security through obscurity! The
impact of an article like this is as likely to get management to
prescribe a ham-handed mandate to lock down firmware as it is to get
them to properly upgrade their security practices.
theropost wrote 15 min ago:
I think this kind of critique often leans too hard on âsecurity
through obscurityâ as a cheap punchline, without acknowledging that
real systems are layered, pragmatic, and operated by humans with
varying skill levels. An open firmware repository, by itself, is not
a failure. In many cases it is the opposite: transparency that allows
scrutiny, reproducibility, and faster remediation. The real risk is
not that attackers can see firmware, but that defenders assume
secrecy is doing work that proper controls should be doing anyway.
What worries me more is security through herd mentality, where
everyone copies the same patterns, tooling, and assumptions. When one
breaks, they all break. Some obscurity, used deliberately, can raise
the bar against casual incompetence and lazy attacks, which, frankly,
account for far more incidents than sophisticated adversaries. We
should absolutely design systems that are easy to operate safely, but
there is a difference between âsimple to useâ and âsafe to run
critical infrastructure.â Not every button should be green, and not
every role should be interchangeable. If an approach only works when
no one understands it, that is bad security. But if it fails because
operators cannot grasp basic layered defenses, that is a staffing and
governance problem, not a philosophy one.
fn-mote wrote 2 min ago:
> An open firmware repository, by itself, is not a failure
Isnât the complaint that the location of the repo is not
publicized?
Nobody would complain if it were linked directly from the
companyâs web page, I assume?
Angostura wrote 2 hours 4 min ago:
I didnt really interpret that as a particular criticism really
jabedude wrote 2 hours 4 min ago:
I didn't notice a negative tone at all when he talked about the
firmwares being publicly hosted. You did?
tecleandor wrote 2 hours 30 min ago:
Yep, I think it should always be that way, firmwares should be always
available.
SilverElfin wrote 2 hours 51 min ago:
So which camera brand has adequately designed software? Itâs hard to
know as a consumer what to trust or not trust, because how do you
evaluate the quality of their work when the device SEEMS to work as
expected? Is Ring the only choice?
ssl-3 wrote 1 hour 36 min ago:
If the firmware is not open and buildable, then it can only be an
untrustable black box.
If you don't want untrustable black boxes hanging around, then your
options become pretty limited.
You can DIY something with an SBC like a Raspberry Pi or whatever.
You can hang USB cameras off of your computers like it's 2002 again.
You can try to find something that OpenIPC or thingino or whatever
supports. (You'll never finish with this project as the years wear
on, the hardware fails, product availability ebbs and flows, and the
scope changes. Maybe that sounds like a fun way to burn time for
someone, but it doesn't sound like fun to me.)
Or, you can accept that the world is corrupted -- and by extension,
the cameras are also all corrupted.
The safe solution is then actually pretty simple: Use wired-only
cameras that work with Frigate (or whatever your local NVR of choice
may be), keep them on their own private VLAN that lacks Internet
access, and don't worry about it.
The less-safe solution is also pretty simple: Do what everyone else
is doing, and just forget the problem exists at all. Switch your
brain off, buy whatever, and use it. (And if there's an area that
you don't want other people to see, then: Don't put a camera there.)
(We probably are not as interesting as we may think we are, anyway.)
notjosh wrote 2 hours 44 min ago:
I've installed Thingino on my cameras such as this. Cheap camera +
custom (local only!) firmware is a good solution imo.
No guarantee that it'll be perfect either, obviously, but it's open
source and actively maintained. Highly recommended.
robertpohl wrote 3 hours 1 min ago:
If a friend have this camera, shuld he be worried?
g5pw wrote 1 hour 10 min ago:
As @tehlike said in a sibling comment, it looks like it is supported
by [1] , so you can 'update' the firmware to a more secure (and FOSS)
one!
HTML [1]: https://thingino.com
userbinator wrote 1 hour 29 min ago:
If it's isolated from the Internet, no.
tamimio wrote 1 hour 32 min ago:
Per the article, the attacker can restart the camera and potentially
find the accurate position of it. However, if the attacker can be
physically in proximity within the camera range, they can MITM it and
intercept the video feed. So it depends on your friend's threat
model. If the camera is recording something in a public location and
they don't mind the location being exposed and potentially the video
feed (like plenty of live public cameras), then it shouldn't be an
issue. Otherwise, they need to disable it until it gets fixed.
buddhistdude wrote 2 hours 17 min ago:
not necessarily worried, but like put on some pants before entering
the room
sciencejerk wrote 2 hours 39 min ago:
Yep
shreddit wrote 3 hours 22 min ago:
As soon as i read the author used grok as an ai assistant, i was
somehow less interested to keep on reading. Not because of the usage of
ai, but the chosen provider. (I donât know whether grok is just the
best choice for this kind of work.)
Is it wrong to judge people for their choice of ai providers?
kernal wrote 1 hour 37 min ago:
No, because it allows us to evaluate the type of person you are. For
example, I can tell you're a member of Bluesky.
vablings wrote 2 hours 9 min ago:
I think it's hard to say. Grok is pretty good and also fairly free
with good usage limits.
Every single AI company in my opinion is committing fairly grave
misdeeds with the ruthless scraping of the internet and lack of
oversight.
Not to mention the shady backdoor deals going on with big tech and
the current administration.
Grok is also pretty bad with its whole gas turbines in one state and
datacenter in another and some possible environmental issues
It's more of a pick your poison at this point
scotty79 wrote 3 hours 10 min ago:
It's worth interacting with all models. In my experience, for
programming questions grok delivered better answers than ChatGPT (and
Claude) often enough that at some point I wasn't sure which model I
should be asking first.
sva_ wrote 3 hours 14 min ago:
I think when your political views cloud your ability to take in
information on an objective level, it might be bad.
wh0thenn0w wrote 3 hours 13 min ago:
You can just not like Elon, doesn't have to be political at all.
walterbell wrote 3 hours 18 min ago:
Which AI providers have access to real-time Twitter data?
sroussey wrote 23 min ago:
Ones with better answers. Twitter dumbs down grok.
blibble wrote 2 hours 42 min ago:
when has anything of value been posted on twitter?
2gremlin181 wrote 2 hours 54 min ago:
Genuinely curious, what are some use cases that you require live
Twitter data in your LLM for?
mlaretallack wrote 3 hours 26 min ago:
Very interesting, I had a go with Ghidra and AWS Amazon Q, used it to
reverse the video feed on a toy drone. I did not think to look for
GhidraMCP, would of made it a lot quicker.
aaronax wrote 3 hours 26 min ago:
This is so bad that it must be intentional, right? Even though these
are dirt cheap, they couldn't come up with $100,000 to check for
run-of-the-mill vulnerabilities? There must be many millions sold.
Quite handy for some intel agencies.
I assume any Wi-Fi camera under $150 has basically the same problems.
I guess the only way to run a security camera where you don't have
Ethernet is to use a non-proprietary Wi-Fi <-> 1000BASE-T adapter.
Probably only something homebuilt based on a single board computer and
running basically stock Linux/BSD meets that requirement.
Aurornis wrote 1 hour 58 min ago:
> This is so bad that it must be intentional, right? Even though
these are dirt cheap, they couldn't come up with $100,000 to check
for run-of-the-mill vulnerabilities?
The camera sells for $17.99 on their website right now.
Subtract out the cost of the hardware, the box, warehousing, transit
to the warehouse, assembly, testing, returns, lost shipments,
warranty replacements, support staff, and everything else, then
imagine how much is left over for profit. Let's be very optimistic
and say $5 per unit.
That $5 per unit profit would mean an additional $100,000 invested in
software development would be like taking 20,000 units of this camera
and lighting them on fire. Or they could not do that and improve
their bottom line numbers by $100,000.
TP-Link has a huge lineup of products and is constantly introducing
new things. Multiply that $100,000 across the probably 100+ products
on their websites and it becomes tens of millions of dollars per
year.
The only way these ultra-cheap products are getting shipped at these
prices is by doing the absolute bare minimum of software development.
They take a reference design from the chip vendor, have 1 or 2 low
wage engineers change things in the reference codebase until it
appears to work, then they ship it.
fylo wrote 2 hours 45 min ago:
Don't put them on untrusted networks. This always seemed obvious to
me.
tehlike wrote 1 hour 51 min ago:
Untrusted network is not sufficient, you need to cut them off
internet, in general.
aaronax wrote 2 hours 6 min ago:
My initial read of proximity being sufficient to exploit 3 is
incorrect, so yeah as long as you control the Wi-Fi network
sufficiently then things should be fine.
tehlike wrote 2 hours 45 min ago:
Some cameras that "charge" with USB also can use a USB network
adapter (provided they can supply power).
For the tech savvy, there is thingino as a firmware alternative -
works local only, no cloud, and supports mqtt etc.
stragies wrote 12 min ago:
Is there a table of supported hardware, that contains info about
the USB-connection (or ethernet) on these devices. Like, which have
data-lines connected, can the device electrically do host and
device mode? Can I use a POE2USBC adapter, that presents itself as
a USB-network device to the camera?
Ability to filter on those columns would be great.
Is thingino using the Ingenic linux kernel 3.ancient SDK version,
or do they have/use something newer?
formerly_proven wrote 3 hours 2 min ago:
> I assume any Wi-Fi camera has basically the same problems.
ftfy
JaggedJax wrote 3 hours 31 min ago:
It's probably fair to assume that most of their other camera models are
affected by the same or similar issues. It looks like they pump out
quite a few models that I image have similar firmware.
This page[1] lists the C200 as last having a firmware update in
October, but also lists the latest version as 1.4.4 while the article
lists 1.4.2. It seems like they have pushed other updated in this time,
but not these security fixes.
HTML [1]: https://community.tp-link.com/us/smart-home/kb/detail/412852
tehlike wrote 2 hours 46 min ago:
They lend themselves to local connections, however, so they are
workable for the tech savvy.
Definitely a problem for regular users.
sidewndr46 wrote 3 hours 2 min ago:
I looked at some older Zyxel products and came to the same conclusion
a while back. There's a whole industry of labeling generic hardware
as being part of someone's else ecosystem
HTML [1]: https://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-...
HTML [2]: https://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-...
DIR <- back to front page