Recently, TP-Link has fixed a high-risk vulnerability in the C200 IP camera. Using the known Heartbleed vulnerability (located on the public TCP port 443), the user’s hashed password can be found in the memory dump. Then use the login process on the API to use the hash for a pass-the-hash attack. This causes a login token named “stok” to be issued, which can be used for user authentication of the device.
The attacker can perform authenticated API calls such as; moving the camera’s motor, format the SD card, create an RTSP account to view the camera’s video feed, and disable privacy mode.
- Tapo C200 1.7.0 Firmware version < 1.0.10
- Tapo C200 1.7.0 Firmware version>= 1.0.10