Wanted to spy on my dog, ended up spying on TP-Link
9 hours ago
- #IoT Security
- #Reverse Engineering
- #Tapo Camera
- Author bought a Tapo indoor camera to monitor their dog but ended up reverse-engineering its setup due to frustrations.
- Discovered undocumented behaviors, such as the camera not updating its password when the cloud password changes.
- Used MITM (Man in the Middle) techniques with tools like Frida and mitmproxy to intercept and analyze the camera's API calls.
- Found that the camera uses a default admin password (TPL075526460603) before cloud onboarding.
- Decompiled the Tapo APK using JADX to uncover the default password and understand the login flow.
- Wrote a script to decrypt and analyze the camera's secure API communications during onboarding.
- Identified key API calls made during setup, including Wi-Fi scanning, password changes, and enabling RTSP/ONVIF.
- Created a Bash script (tapo_onboard.sh) to automate the camera setup without relying on Tapo's cloud services.
- Criticized Tapo's firmware for inconsistent security practices, such as mixed use of SHA-256 and MD5, and unclear public key usage.
- Ultimately, the dog was found to be mostly sleeping when alone.