Vulnerability Found in Kasa Camera
A hobby farmer on the hunt for a vegetable-eating critter has discovered a flaw in a popular outdoor home security camera.
Midwesterner Jason Kent purchased a Kasa camera to help identify whatever creature it was that had been eating his cucumber plants. In addition to uncovering the antics of a groundhog, Kent was alarmed to discover an account takeover (ATO)/credential stuffing vulnerability in the security device.
Kent said: “Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network, I still could see the images from my camera on the mobile app. As a security professional, this concerned me.”
Kent, who is hacker-in-residence at Cequence Security, said the cybersecurity flaw he found in the device could allow a bad actor to spy on a user’s home and change the camera’s settings.
“This API vulnerability makes it easier for a cyber-criminal to take over someone’s Kasa camera account and then use that access to change passwords, modify camera settings, view private security footage or use it to surreptitiously snoop on a user’s home,” he said.
Through further investigation, Kent discovered that although the Kasa’s mobile application uses SSL, the SSL certificate wasn’t pinned. This made it “easy to open it up and look at the transactions.”
“I also found that the authentication is simply BASE64 encoded username:password being passed under SSL,” said Kent.
“Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate.”
Of equal concern to Kent was the finding that the authentication to the web platform was giving “very verbose” API error messages included phrases such as “password incorrect.” Kent posits that this could leave users who set up their username as their email address vulnerable to cyber-attack.
Kent reported his concerns to TP-LINK, parent company of the Kasa brand, in March 2020. On June 15, the company said that the vulnerability he found would be fixed. At time of publication, the flaw had still not been remedied.