←back to thread

Wanted to spy on my dog, ended up spying on TP-Link

(kennedn.com)
436 points kennedn | 3 comments | 15 Sep 25 16:28 UTC | HN request time: 0s | source
Show context
micah94 ◴[15 Sep 25 17:17 UTC] No.45252395[source]
So we're at the point that finding hardcoded admin passwords is no big deal.
replies(5): >>45252452 #>>45252526 #>>45253010 #>>45253096 #>>45254073 #
mtlynch ◴[15 Sep 25 18:08 UTC] No.45253010[source]
It's a hardcoded default password, not a permanent backdoor. If I'm understanding the post correctly, the user changes it as part of the onboarding flow.

This is the way most apps work if they have a default password the user is supposed to change.

replies(2): >>45253178 #>>45253581 #
bri3d ◴[15 Sep 25 18:20 UTC] No.45253178[source]
The device should ideally have some kind of secret material derived per device, like a passphrase generated from an MCU serial number or provisioned into EEPROM and printed on a label on the device.

Some form of "enter the code on the device" or "scan the QR code on the device" could then mutually authenticate the app using proof-of-presence rather than hardcoded passwords. This can still be done completely offline with no "cloud" or other access, or "lock in"; the app just uses the device secret to authenticate with the device locally. Then the user can set a raw RTSP password if desired.

This way unprovisioned devices are not nearly as vulnerable to network-level attacks. I agree that this is Not Awful but it's also Not Good. Right now, if you buy this camera and plug it into a network and _forget_ to set it up, it's a sitting duck for the time window between network connection and setup.

replies(7): >>45253258 #>>45253284 #>>45253613 #>>45254911 #>>45255062 #>>45258381 #>>45259653 #
some_random ◴[15 Sep 25 18:29 UTC] No.45253284[source]
If you buy the camera, plug it in, and forget to set it up, you just flat out can't use it right? I agree that proof of presence is way better but how many people are seriously going to be affected?
replies(1): >>45253306 #
1. bri3d ◴[15 Sep 25 18:30 UTC] No.45253306[source]
No, if you buy the camera, plug it in, and forget to set it up, then someone can use the default password and key material stored in the app to pretend to be the app and provision it on your behalf.

That's the only real vulnerability here, and it's no big deal, but it is A Thing and there is definitely a better way to do this that doesn't lose the freedom of full-offline.

replies(2): >>45253354 #>>45259260 #
2. some_random ◴[15 Sep 25 18:35 UTC] No.45253354[source]
Ok yeah I think we're in agreement then.
3. 2rsf ◴[16 Sep 25 07:46 UTC] No.45259260[source]
There could be another scenario. I assume that factory resetting the camera will bring back the default password. Factory reset is a long press on the power button (in some cheap TPlink camera), so in theory someone with physical access can take control over the camera without you noticing until you try and use it.