FRESH

Hacker News

Home

Wanted to spy on my dog, ended up spying on TP-Link

542 points by kennedn

by pimterry

3 subcomments

Oh awesome, this is using my Frida scripts! These: https://github.com/httptoolkit/frida-interception-and-unpinn....
Nice project, great to see the scripts doing good work in the wild. If you needed any extra additions or tweaks to get them working, I'd love to hear about it.

by bayesianbot

0 subcomment

> SIDENOTE: If you want 2 way audio to work in frigate you must use the tapo:// go2rtc configuration for your main stream instead of the usual rtsp://. TP-Link are lazy and only implement 2 way audio on their own proprietary API.
Annoyingly when this is in use, I can't use ONVIF which seems like the only way to pan and tilt the camera using open tools. So if I want to use two way audio and also control the camera, I have to stop the process reading tapo:// stream, start onvif client and rotate, turn off onvif client and start streaming using tapo:// again

by selinkocalar

11 subcomments

IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.

by bstsb

1 subcomments

really like how this blog is written. a lot of writeups like this recently have been generated by an LLM, and it's quite distracting to read - this was a pleasant surprise. it strikes a good balance between technical and laid-back
(yes i know the cover image is AI-generated, that's incidental to the content)

by gnabgib

0 subcomment

Somewhat related:
The Tapo C200 research project https://drmnsamoliu.github.io/ (https://news.ycombinator.com/item?id=37813013)
PyTapo: Python library for communication with Tapo Cameras https://github.com/JurajNyiri/pytapo (https://news.ycombinator.com/item?id=41267062)

by 201984

3 subcomments

Are techniques like using Frida and mitmproxy on Android apps still going to be possible after the signing requirement goes into effect next year?

by tripdout

0 subcomment

Also somewhat related:
(TP-Link Firmware Decryption C210 V2 cloud camera bootloaders) https://watchfulip.github.io/28-12-24/tp-link_c210_v2.html?u...

by micah94

6 subcomments

So we're at the point that finding hardcoded admin passwords is no big deal.

by pooloo

1 subcomments

Unrelated, but I wonder if the OP's dog moves from the bed to the floor because the radiator turns on? might need more sensor data :D

by ChaoPrayaWave

1 subcomments

I know people who are still using the router their ISP gave them, and they’ve never even changed the default password. The thing is, they don’t even know it can be updated, let alone that there might be security vulnerabilities. To most users, if the internet works, that’s all that matters.

by wpm

0 subcomment

I love little projects like this, but man does this make me glad things like Thingino exists. Installing the firmware takes like 5 minutes, a little self-hosted web configurator pops up, you put in an SSID and a password, the camera reboots, and its yours. We should not have to reverse engineer crap like this.
https://thingino.com

0 subcomment

by HexPhantom

0 subcomment

This is the most gloriously overengineered way to find out your dog naps all day, and I respect the hell out of it.

0 subcomment

by mijoharas

0 subcomment

If the author is here, did you find a way to prevent the tapo from trying to connect to the internet every 20s? (I just blocked it's access, but it's annoying to see it all the denied requests in my router logs.)
I'm guessing not, and it's not really an issue since it can be used entirely locally without, but it's still kinda annoying.

by otikik

2 subcomments

Very nice project and writeup.
I wish there was a repository of "appliances that don't try to shove an app and a subscription down your throat"

by gslin

0 subcomment

The password `TPL075526460603` is also mentioned in CVE-2022-37255[1].
[1]: https://nvd.nist.gov/vuln/detail/CVE-2022-37255

by marcosscriven

1 subcomments

Side note - “full-proof” is an eggcorn of “foolproof”.

by xrd

1 subcomments

Does anyone have a good reference for which tapo cameras support rtsp? I have a c210 that works well (sort of, you can't use it with their cloud capture) and I have it working with frigate.
But today I got a c402 (outdoor) thinking I could use it to capture my son's soccer practice. But that doesn't have the camera account option under advanced.
I love the price point of these devices but the functionality is all over the place.
If anyone knows a good outdoor camera, preferably with solar panel, that is cheap and has an rtsp stream, please let me know.

by BLKNSLVR

2 subcomments

I tried and failed at enough suggestions I found on the internet and via AI to cobble together a frigate configuration that eventually worked with the Tapo cameras.

RTC setup section:

  go2rtc:
    streams:
      <Camera RTC name>:
        - rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream1
        - ffmpeg:<Camera RTC name>#audio=opus
        - tapo://<Tapo cloud password>@<camera IP address>
      <Camera RTC name>_sub:
        - rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream2
        - ffmpeg:<Camera RTC name>_sub#audio=opus
        - tapo://<Tapo cloud password>@<camera IP address>

Main section:

  <Camera name>:
    ffmpeg:
      output_args:
        record: preset-record-generic-audio-aac
      inputs:
        - path: rtsp://127.0.0.1:8554/<Camera RTC name>_sub
          input_args: preset-rtsp-restream
          roles:
            - detect
        - path: rtsp://127.0.0.1:8554/<Camera RTC name>
          input_args: preset-rtsp-restream
          roles:
            - record
            - audio
    detect:
      enabled: true
      width: 640
      height: 360
      fps: 7
    live:
      streams:
        <Camera RTC name>: <Camera RTC name>
    record:
      enabled: true
      retain:
        days: 0
        mode: all

Where:

* <Camera RTC name> is just any old short name you want to assign to the camera.

* <Camera name> is the main name for the camera that will be shown in the frigate UI

* <local camera account password> is something set individually on each camera (settings > Advanced > Camera Account, set it to On and setup username/password > Account Information)

* <Tapo cloud password> is the password setup for the Tapo app (I'm not sure how necessary this is, since there's nowhere that the username is specified... this is the only bit I'm fuzzy on)

This is the basics that works for me for the Tapo cameras. There are a boatload of other settings specific to Frigate (but not specific to Tapo cameras).

This is nowhere near as cool hack as the article, however.

by serf

0 subcomment

go2rtc is great. the compatibility range it offers is just huge and gets rid of 90% of the difficulty in making a decent NVR app.

by GuinansEyebrows

1 subcomments

Thank you for including the final part about what your dog has been up to :)

by fnord77

1 subcomments

They cracked the APK to get the default password, but googling for it I see it is in a CVE from 2022
https://nvd.nist.gov/vuln/detail/CVE-2022-37255

by rcarmo

0 subcomment

Every single post on this site is worth reading. Loads of fun with hacking electronics. :)

by Gualdrapo

3 subcomments

Got one for my house but what really annoyed me was that I wasn't able to set a fixed IP for it

by cleartext412

1 subcomments

Hacking together something usable out of cloud-first piece of hardware you ended up with is respectable, but I would like to bring up another option to go with if you're choosing a new device: buy camera that doesn't require a phone app to initial setup and serves RTSP out of the box.

by ComputerGuru

0 subcomment

Anyone have a similar fix for Yi/Kami cameras?

by levid042

0 subcomment

Yes Pls I'm begging u

by ur-whale

0 subcomment

I used to get in the kind of frustrated situations where, like the author, I spent two days reverse-engineering something I had just bought just to get it to do what I thought it obviously would when I bought it.
IOT things like the thing he bought are (were) typically the worst kind of offenders.
I just don't do that anymore. It used to bring me pleasure cracking the nut, and that's not the case any longer.
These days, if it does not do what I need more or less out of the box, I just return it / send it back and research the follow-up buy better.

by johng

0 subcomment

Interesting... from the terminal I see he named his laptop the same thing I've named one of my cheaper laptops too... craptop. LOL.

by pessimizer

1 subcomments

The cover image is a 2.8M png, if the author is reading. I gave up my github account so cannot comment.

by ck2

2 subcomments

tapo annoyingly is also one of the only cameras that doesn't have a still snapshot url after all these years and endless requests from many
someone needs to make replacement firmware
ffmpeg can fake it but takes a few seconds to grab from the video stream and of course you can't run ffmpeg from your browser (or wait, can you now?)
```
     ffmpeg -rtsp_transport tcp -i "rtsp://cameraname:camerapass@192.168.1.23:554/stream1" -an   -y  -vframes 1 -f image2 -vcodec mjpeg  "snap.jpg"
```

by huflungdung

0 subcomment

[dead]