Researcher Jason Kent has found that his “Kasa” cam, which is made by TP-Link as part of its smart home range of products, is vulnerable to account take over attacks. The researcher bought one to figure out what was eating his cucumber plants, and immediately got several worrying signs. First, he could access the video feed via the mobile app, even when away from the home network. Secondly, the transactions in the app were easily accessible and revealed that the credentials were BASE64 encoded. Thirdly, the API error messages were very verbose, giving a potential attacker the chance to engage in an enumeration process.
As the security researcher explains, telling an attacker that an account doesn’t exist or that they entered an incorrect password is a bad security practice, as you’re basically giving them key clues on what’s right and what’s wrong. If the attacker has the time and surface for brute-forcing, these clues can make the process more targeted and thus quicker. TP-Link could have gone for a more generic error message and keep credential stuffing risks at a minimum. Also, pinning the SSL certificate and having the app hash under the SSL rather than encoding and reiterating its value would be a better approach.
Acting responsibly, J. Kent emailed TP-Link on March 5, 2020, and they responded immediately by requesting more details. The researcher responded by sending a video that demonstrates the problems and gave the company 90 days to push a fix. Unfortunately, TP-Link has prioritized other fixes on the Kasa platform and initially promised to push a patch around April. On June 4, 2020, the disclosure period ended, yet the researcher waited for a little while longer, giving the vendor the chance to do something. A firmware update that landed on June 11, 2020, didn’t fix the credential stuffing vulnerability, and TP-Link told Kent they will need more time for it. On July 9, 2020, the issue was publicly disclosed and still remains unfixed.
One detail that hasn’t been clarified by the researcher is whether his findings concern one specific model from the Kasa line or the entire range of the Kasa smart cameras. He has mentioned the publication of Consumer Reports that concern the model he owns, so this could be either the Kasa Cam KC120, the KC200, or the Kasa Smart KC300S2 System. If you happen to own any of these products, make sure to apply any firmware patches as soon as they become available, and try to deploy the cams on non-critical and non-sensitive locations.