UPDATED with comment from TP-Link.
One or more security cameras made and sold by TP-Link under its Kasa smart-home product line can be easily hacked due to a few serious vulnerabilities in the Kasa mobile app, says a researcher in a new report.
According to Cequence Security researcher Jason Kent, hackers can gain remote access to images, videos and settings by taking advantage of security flaws in the app for TP-Link's range of Kasa home security cameras.
The same app controls Kasa smart plugs, smart light bulbs and smart wall switches. It's not clear whether the same app flaws might apply to those products.
- Best antivirus: get protected when online with the best software
- VPN: stay anonymous online with the very best virtual private network
- Just in: 15 billion stolen usernames and passwords available online
Several bugs
Tom's Guide has reached out to TP-Link for comment, and we will update this story when we receive a response.
[UPDATE: TP-Link said all the problems were fixed by July 17, and Jason Kent's blog post was updated to reflect that change.]
Kent discovered the flaws when he purchased a Kasa camera and noticed a potential security problem.
“Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network I still could see the images from my camera on the mobile app. As a security professional, this concerned me,” he said.
When investigating further, he found that the camera had an improperly secured secure sockets layer (SSL) certificate, leaving it vulnerable to man-in-the-middle attacks -- which might enable hackers to view and edit communications between the camera and the app.
He noted that because the SSL certificate wasn’t pinned, crooks would find it “easy to open it up and look at the transactions”.
SSL pinning prevents man-in-the-middle attacks and these certificates from being spoofed.
“I also found that the authentication is simply Base64 encoded username:password being passed under SSL. Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate,” Kent said.
Base64 is not encryption but simply a method of encoding binary data in a compact text-based form. It's not secure at all.
For example "password" in binary is "0111000001100001011100110111001101110111011011110111001001100100", which is rather long and unwieldy. But in Base64, "password" is the more manageable "cGFzc3dvcmQ=". It may look encrypted, but it really isn't, and you can easily translate that back to "password."
Account takeover
Kent warned that sloppy account authorization protocols in the Kasa app, which he reported to TP-Link in March, had yet to be patched and would let malefactors easily conduct credential-stuffing attacks as part of account-takeover efforts.
That's because the Kasa mobile app tells you when you enter a non-existent username or a wrong password, which lets attackers quickly cross out items on their lists of possible usernames or passwords.
Kent explained: “Since I used my email address as my username, as most do on this platform, a simple set of requests would allow for enumeration of the user accounts on the platform. As someone who works to battle automated cyber attacks (bots) and keep automated attacks at bay, I know that having verbose API error messages on authentication endpoints leads to Account Take Over (ATO) attacks.”
By taking advantage of these flaws, it’s possible for attackers to launch credential stuffing attacks. He said: “Now, it is possible for an attacker to enumerate usernames based on email lists. Once the known good username list is established, the password attack can begin.
“ATO happens much more easily when an attacker can easily understand what a good username is and what the matching password is. This would lead to a Credential Stuffing attack to guess the passwords, otherwise the attacker would need to put in the good username and take over the account via a password reset mechanism.”
It's better for security if an app just keeps you logged out, without saying why, if you provide the wrong set of credentials.
Little action
Despite contacting the manufacturer in March, some of the flaws remain. He said: “As of this writing, however, they haven’t fixed the information disclosure on their platform, and ATO with Credential Stuffing is still a possible outcome. Their APIs are telling the attacker how to be more efficient and helping the attacker figure out valid username and password combinations.”
To avoid these attacks, it’s recommended that users set unique passwords and ensure that their devices are using up-to-date software.
- Read more: Our pick of today's best home security cameras
