Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera

Vendor: TP-Link

Vendor URL: https://www.tp-link.com/uk/

Versions affected: 1.7.0

Systems Affected: Tapo C200

Author: Dale Pavey

Risk: High

Summary:

The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack.

Impact:

Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and the Pass-the-Hash attack.

Details:

Using the discovered Heartbleed vulnerability exposed on TCP port 443, it was possible to discover the user’s hashed password within a memory dump. The hash was then used in a Pass-the-Hash attack using the login process on the API. This resulted in a login token called a ‘stok’ being issued which could be used to authenticate to the device as the user.

Using the ‘stok’ value, this was then passed to the camera to perform authenticated API calls such as; moving the camera’s motor, format the SD card, create an RTSP account to view the camera’s video feed, and disable privacy mode.

Recommendation:

Update the firmware to version 1.0.10 or above.

https://www.tapo.com/uk/faq/21/

Vendor Communication:

07/05/2020: Initial contact with TP-Link security advisory team

12/05/2020: Vulnerability details sent to TP-Link security contact

14/05/2020: Issue confirmed with Vendor and patch being released in June

17/07/2020: 1.0.10 Device patch released fixing the discovered issue