Updated with comments from TP-Link.
One or more security cameras manufactured and sold by TP-Link under its Kasa smart home product line could be easily hacked due to several serious vulnerabilities in the Kasa mobile app, a researcher says in a new report.
According to Cequence Security researcher Jason Kent, hackers can gain remote access to images, video, and settings by exploiting security flaws in the app for TP-Link's Kasa home security camera series.
The same app controls Kasa smart plugs, smart light bulbs, and smart wall switches. It is unclear if the same app flaw applies to these products.
Tom's Guide has reached out to TP-Link for comment and will update this article as soon as we receive a response.
[UPDATE: TP-Link announced that all problems had been fixed by July 17.]
Kent discovered the flaw when he purchased a Kasa camera and noticed a potential security issue.
"Upon installation, I noticed that the mobile application was connecting directly to the camera via the network. As a security expert, this bothered me.
Upon further investigation, he found that the camera had an improperly protected Secure Sockets Layer (SSL) certificate, making it vulnerable to man-in-the-middle attacks.
He noted that because SSL certificates are not secured, fraudsters can "easily open them and see transactions."
SSL pinning prevents man-in-the-middle attacks and these certificates from being spoofed.
"We also found that authentication is simply a Base64-encoded username:password passed under SSL. Security best practices dictate that applications should be hashed under SSL, not encoded, reaffirming the value of pinning certificates," said Kent.
Base64 is not encryption, it is simply a way to encode binary data in a compact text base. It is not secure at all.
For example, "password" in binary would be "011110000000000000000000001111110111001001100100", which is quite long and unwieldy. In Base64, however, "password" becomes the more manageable "cGFzc3dvcmQ=". It may appear to be encrypted, but in fact it is not.
Kent warned that the sloppy account authentication protocols in the Kasa app, which he reported to TP-Link in March, are still unpatched and allow a malicious person to easily launch a credential stuffing attack as part of an account takeover.
That's because the Kasa mobile app tells you when you enter a non-existent username or wrong password, allowing attackers to quickly cross off items on the list of possible usernames and passwords.
Kent explains: "As most people on this platform do, I used my email address as my username, so with a simple set of requests, I can enumerate user accounts on the platform. As someone who works to fight and contain automated cyber attacks (bots), I know that redundant API error messages in authentication endpoints can lead to account takeover (ATO) attacks."
[34By exploiting these flaws, attackers can launch credential stuffing attacks. He says: "Currently, an attacker can enumerate usernames based on email lists. Once a known good username list is established, a password attack can be launched. [ATOs happen more easily when the attacker can easily figure out what a good username and matching password are. In this case, a Credential Stuffing attack would be used to guess the password, otherwise the attacker would have to enter a good username and use a password reset mechanism to take over the account. "
It is better for security to leave the app logged out without giving a reason if the wrong credentials are provided.
Despite contacting the manufacturer in March, some flaws remain. He says: "However, as of this writing, they have not fixed the information leak on their platform and an ATO with credential stuffing is still a possibility. Their API tells attackers how to be more efficient and helps them find valid username/password combinations."
To avoid such attacks, users are encouraged to set unique passwords and ensure that their devices are using the latest software.
.
Comments