Kasa Cameras Security Issues Found and Partially Fixed

A security researcher found a couple of vulnerabilities in Kasa Security Cams that allowed him to perform a man-in-the-middle attack and extract user names, opening the way for Account Take Over (ATO) attacks.

Security cameras represent a sensitive part of the IoT infrastructure because of their important functions. Bad actors can obtain sensitive data from smart cameras and their software and gain information from the physical world when they are compromised.

Jason Kent, a researcher from Cequence Security, wasn’t looking for something wrong with the Kasa cameras, but he ran into problems when he was trying to set up the device for his own use. It turned out that the developers hadn’t secured the app controlling the devices as well as they should have.

The first issue found was that the SSL certificate wasn’t pinned. Moreover, instead of hashing the usernames and passwords under SSL, the app was using BASE64. The second problem has to do with the way the app returns the errors.

“Of equal concern to me was that the authentication to the web platform, not the direct connection to the camera, was giving very verbose API error messages,” wrote Kent on his blog. “Since I used my email address as my username, as most do on this platform, a simple set of requests would allow for enumeration of the user accounts on the platform.”

The errors returned by the app are too specific. Instead of simply acknowledging a problem, the application said, in very specific terms, if the account wasn’t found or if the password was correct. Best practices dictate that queries should not return specific errors because it makes it easier for automated attacks to use credential lists.

TP-Link actually builds Kasa Cameras, and the researcher informed them of the issues, allowing 90 days to fix the problems. Developers fixed the vulnerability stemming from the SSL certificate but said repairing the verbose API error messages will take longer.

Add Comment

Your email address will not be published. Required fields are marked *