←back to thread

Wanted to spy on my dog, ended up spying on TP-Link

(kennedn.com)
436 points kennedn | 7 comments | 15 Sep 25 16:28 UTC | HN request time: 0.001s | source | bottom
Show context
micah94 ◴[15 Sep 25 17:17 UTC] No.45252395[source]
So we're at the point that finding hardcoded admin passwords is no big deal.
replies(5): >>45252452 #>>45252526 #>>45253010 #>>45253096 #>>45254073 #
mtlynch ◴[15 Sep 25 18:08 UTC] No.45253010[source]
It's a hardcoded default password, not a permanent backdoor. If I'm understanding the post correctly, the user changes it as part of the onboarding flow.

This is the way most apps work if they have a default password the user is supposed to change.

replies(2): >>45253178 #>>45253581 #
bri3d ◴[15 Sep 25 18:20 UTC] No.45253178[source]
The device should ideally have some kind of secret material derived per device, like a passphrase generated from an MCU serial number or provisioned into EEPROM and printed on a label on the device.

Some form of "enter the code on the device" or "scan the QR code on the device" could then mutually authenticate the app using proof-of-presence rather than hardcoded passwords. This can still be done completely offline with no "cloud" or other access, or "lock in"; the app just uses the device secret to authenticate with the device locally. Then the user can set a raw RTSP password if desired.

This way unprovisioned devices are not nearly as vulnerable to network-level attacks. I agree that this is Not Awful but it's also Not Good. Right now, if you buy this camera and plug it into a network and _forget_ to set it up, it's a sitting duck for the time window between network connection and setup.

replies(7): >>45253258 #>>45253284 #>>45253613 #>>45254911 #>>45255062 #>>45258381 #>>45259653 #
1. yannyu ◴[15 Sep 25 18:27 UTC] No.45253258[source]
AT&T routers, for example, ship like this. There's a wifi network and a wifi password printed onto the device.

But that also means then that often anyone with physical access can easily get into the device. The complicated password provides an additional layer of illusion of security, because people then figure "it's not a default admin password, it should be good". The fundamental problem seems to be "many people are bad at passwords and onboarding flows", and so trying variations on shipping passwords seem to result in mostly the same problems.

replies(3): >>45253323 #>>45253393 #>>45254597 #
2. some_random ◴[15 Sep 25 18:32 UTC] No.45253323[source]
If you have physical access you can just factory reset the device and onboard it with the normal flow though
replies(2): >>45253537 #>>45253781 #
3. mystifyingpoi ◴[15 Sep 25 18:39 UTC] No.45253393[source]
Same with Orange branded ones. There is even a QR code that you can scan on your phone - no more typing 16-24 hex characters.

It's hard to decide whether it's good or bad. It is definitely easier. Which I guess matters most in consumer grade routers.

4. ◴[15 Sep 25 18:52 UTC] No.45253537[source]
5. yannyu ◴[15 Sep 25 19:14 UTC] No.45253781[source]
That's fair, though at least resetting would indicate that an attack happened. Default passwords and printed passwords can result in undetected attacks, which are arguably worse.
replies(1): >>45255128 #
6. recursive ◴[15 Sep 25 20:35 UTC] No.45254597[source]
I feel seen. Why is the security illusory? I still don't understand the problem with this. Is the concern that someone will break into my house to covertly get access to my wifi password?
7. some_random ◴[15 Sep 25 21:27 UTC] No.45255128{3}[source]
It doesn't change anything in this case though, you can't use the default password against a tp-link device after it's been onboarded.