TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy
8 hours ago
- #IoT Security
- #Reverse Engineering
- #Vulnerability Disclosure
- The author recommends starting reverse engineering with cheap IP cameras due to their self-contained ecosystems.
- TP-Link Tapo C200 cameras are highlighted as affordable and stable devices for reverse engineering.
- AI-assisted reverse engineering was used to analyze the Tapo C200 firmware, revealing several vulnerabilities.
- The firmware was easily obtained from an open S3 bucket containing TP-Link's firmware repository.
- Decryption of the firmware was achieved using the tp-link-decrypt tool, leveraging keys from TP-Link's GPL code releases.
- Several security vulnerabilities were discovered, including pre-auth memory overflow, HTTPS integer overflow, WiFi hijacking, and nearby WiFi network scanning.
- The vulnerabilities allow for remote attacks, including DoS, MitM, and physical location tracking of the cameras.
- Disclosure attempts with TP-Link were met with delays, leading to public disclosure after 150 days without patches.
- TP-Link's role as a CVE Numbering Authority (CNA) presents a conflict of interest, especially when using CVE counts for marketing.