A popular consumer-grade security camera made by TP-Link and sold under the Kasa brand has bevy of bugs that open the hardware to remote attacks, such as giving hackers access to private video feeds and the ability to change device settings.
The researcher Jason Kent, with Cequence Security, reported the flaws to TP-Link on March 2. On Thursday, the researcher publicly disclosed the bugs and noted that TP-Link has not patched one of the vulnerabilities – an account takeover (ATO) bug that opens the door to credential stuffing attacks.
The most troubling bug Kent found was an insecure implementation of an SSL certificate on the Kasa mobile application. That vulnerability left the door open to man-in-the-middle attacks. The flaw was patched on June 11. It’s unclear if the patch was pushed to devices or if consumers will need to download the patch themselves.
In a blog post, publicly disclosing the TP-Link Kasa bugs, Kent describes the risks associated with the Kasa security cameras.
“I looked at the application request methods and given the potential sensitivity of the data in the system I wanted to ensure the data transfer was encrypted,” Kent wrote in a blog Thursday.
He noted that Kasa’s mobile application does use secure sockets layer (SSL) to authenticate, encrypt and decrypt data sent over the internet. However, the researcher noted the SSL certificate used was not pinned. Certificate pinning is a security measure that protects against an SSL certificate impersonation attacks via the use of mis-issued or fraudulent certificates. The flaw, in the case of the Kasa mobile application, left the door open to man-in-the-middle attacks.
While this bug was patched, TP-Link told Cequence Security that the second ATO bug will take “quite a bit to fix” and will need to be address at a later date.
Regarding the account takeover bug the researcher said:
“Of equal concern to me was that the authentication to the web platform, not the direct connection to the camera, was giving very verbose API error messages. Since I used my email address as my username, as most do on this platform, a simple set of requests would allow for enumeration of the user accounts on the platform. As someone who works to battle automated cyber attacks (bots) and keep automated attacks at bay, I know that having verbose API error messages on authentication endpoints leads to Account Take Over (ATO) attacks,” he wrote.
He added, these conditions allowed an adversary to launch an attack using usernames (based on email lists) and passwords to eventually crack open an account. That’s because the Kasa camera’s API generated error messages that included “Account not found” and “Password incorrect” versus a more secure alternative such as a password reset mechanism for incorrect password attempts.
While the researcher did not single out a specific model impacted by the bug, he did say the model security camera was part of a recent review by the publication Consumer Reports. Recently TP-Link models reviewed by the publication are the Kasa Cam KC120 and KC200, along with the Kasa Smart KC300S2 System.
TP-Link did not return a request for comment for this report.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.