Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Vendor: TP-Link
Vendor URL: https://www.tp-link.com/uk/
Versions affected: 1.7.0
Systems Affected: Tapo C200
Author: Dale Pavey
Risk: High
Summary:
The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack.
Impact:
Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and the Pass-the-Hash attack.
Details:
Using the discovered Heartbleed vulnerability exposed on TCP port 443, it was possible to discover the user’s hashed password within a memory dump. The hash was then used in a Pass-the-Hash attack using the login process on the API. This resulted in a login token called a ‘stok’ being issued which could be used to authenticate to the device as the user.
Using the ‘stok’ value, this was then passed to the camera to perform authenticated API calls such as; moving the camera’s motor, format the SD card, create an RTSP account to view the camera’s video feed, and disable privacy mode.
Recommendation:
Update the firmware to version 1.0.10 or above.
https://www.tapo.com/uk/faq/21/
Vendor Communication:
07/05/2020: Initial contact with TP-Link security advisory team
12/05/2020: Vulnerability details sent to TP-Link security contact
14/05/2020: Issue confirmed with Vendor and patch being released in June
17/07/2020: 1.0.10 Device patch released fixing the discovered issue