←back to thread

Wanted to spy on my dog, ended up spying on TP-Link

(kennedn.com)
460 points kennedn | 1 comments | 15 Sep 25 16:28 UTC | HN request time: 0.228s | source
Show context
micah94 ◴[15 Sep 25 17:17 UTC] No.45252395[source]
So we're at the point that finding hardcoded admin passwords is no big deal.
replies(5): >>45252452 #>>45252526 #>>45253010 #>>45253096 #>>45254073 #
mtlynch ◴[15 Sep 25 18:08 UTC] No.45253010[source]
It's a hardcoded default password, not a permanent backdoor. If I'm understanding the post correctly, the user changes it as part of the onboarding flow.

This is the way most apps work if they have a default password the user is supposed to change.

replies(2): >>45253178 #>>45253581 #
bri3d ◴[15 Sep 25 18:20 UTC] No.45253178[source]
The device should ideally have some kind of secret material derived per device, like a passphrase generated from an MCU serial number or provisioned into EEPROM and printed on a label on the device.

Some form of "enter the code on the device" or "scan the QR code on the device" could then mutually authenticate the app using proof-of-presence rather than hardcoded passwords. This can still be done completely offline with no "cloud" or other access, or "lock in"; the app just uses the device secret to authenticate with the device locally. Then the user can set a raw RTSP password if desired.

This way unprovisioned devices are not nearly as vulnerable to network-level attacks. I agree that this is Not Awful but it's also Not Good. Right now, if you buy this camera and plug it into a network and _forget_ to set it up, it's a sitting duck for the time window between network connection and setup.

replies(7): >>45253258 #>>45253284 #>>45253613 #>>45254911 #>>45255062 #>>45258381 #>>45259653 #
1. otikik ◴[16 Sep 25 08:37 UTC] No.45259653[source]
Well it was "the cheapest cam in Amazon" according to the article so my expectations were that this would not be "ideal".