TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy

Posted by sibellavia 12/19/2025

TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy(www.evilsocket.net)

347 points | 123 commentspage 2

SilverElfin 12/19/2025|

So which camera brand has adequately designed software? It’s hard to know as a consumer what to trust or not trust, because how do you evaluate the quality of their work when the device SEEMS to work as expected? Is Ring the only choice?

ssl-3 12/19/2025||

If the firmware is not open and buildable, then it can only be an untrustable black box.

If you don't want untrustable black boxes hanging around, then your options become pretty limited.

You can DIY something with an SBC like a Raspberry Pi or whatever. You can hang USB cameras off of your computers like it's 2002 again. You can try to find something that OpenIPC or thingino or whatever supports. (You'll never finish with this project as the years wear on, the hardware fails, product availability ebbs and flows, and the scope changes. Maybe that sounds like a fun way to burn time for someone, but it doesn't sound like fun to me.)

Or, you can accept that the world is corrupted -- and by extension, the cameras are also all corrupted.

The safe solution is then actually pretty simple: Use wired-only cameras that work with Frigate (or whatever your local NVR of choice may be), keep them on their own private VLAN that lacks Internet access, and don't worry about it.

The less-safe solution is also pretty simple: Do what everyone else is doing, and just forget the problem exists at all. Switch your brain off, buy whatever, and use it. (And if there's an area that you don't want other people to see, then: Don't put a camera there.)

(We probably are not as interesting as we may think we are, anyway.)

notjosh 12/19/2025||

I've installed Thingino on my cameras such as this. Cheap camera + custom (local only!) firmware is a good solution imo.

No guarantee that it'll be perfect either, obviously, but it's open source and actively maintained. Highly recommended.

dns_snek 12/20/2025||

Thingino is great for many other reasons but security is not one of them - definitely segregate those cameras on a locked down VLAN. The web interface is HTTP-only and it uses the same credentials as root SSH access on the camera, and most of the web ui handling code is highly questionable to say the least.

mlaretallack 12/19/2025||

Very interesting, I had a go with Ghidra and AWS Amazon Q, used it to reverse the video feed on a toy drone. I did not think to look for GhidraMCP, would of made it a lot quicker.

defraudbah 12/20/2025||

I used this website to research the camera https://drmnsamoliu.github.io/

nine_k 12/19/2025||

I more and more tend to not buy any network-connected product if there's no open-source firmware to run on it.

(Phones is one notable exception. I need contactless payments to work.)

tehlike 12/19/2025||

Good thing some tapos do have alternative firmware like thingino.

dns_snek 12/20/2025||

You should still treat it as radioactive waste. Protect it and protect yourself from it - segregated VLAN, no internet access, just like you would do with official firmware.

mindslight 12/19/2025||

If you call up your contactless payment provider, most will send you a physical device that will do contactless payments on its own, for free even. You can tape it to the back of your phone, or anywhere else for that matter.

chatmasta 12/19/2025||

Also, your phone doesn’t need to be connected to the internet for contactless payments, anyway.

shreddit 12/19/2025||

As soon as i read the author used grok as an ai assistant, i was somehow less interested to keep on reading. Not because of the usage of ai, but the chosen provider. (I don’t know whether grok is just the best choice for this kind of work.)

Is it wrong to judge people for their choice of ai providers?

sva_ 12/19/2025||

I think when your political views cloud your ability to take in information on an objective level, it might be bad.

wh0thenn0w 12/19/2025||

You can just not like Elon, doesn't have to be political at all.

vablings 12/19/2025|||

I think it's hard to say. Grok is pretty good and also fairly free with good usage limits.

Every single AI company in my opinion is committing fairly grave misdeeds with the ruthless scraping of the internet and lack of oversight.

Not to mention the shady backdoor deals going on with big tech and the current administration.

Grok is also pretty bad with its whole gas turbines in one state and datacenter in another and some possible environmental issues

It's more of a pick your poison at this point

wyldfire 12/20/2025||

> also fairly free with good usage limits.

But doesn't it need to have such free usage in order to overcome image problems? Referring to itself as a Nazi [1][2] for example.

[1] https://www.npr.org/2025/07/09/nx-s1-5462609/grok-elon-musk-...

[2] https://www.politico.com/news/magazine/2025/07/10/musk-grok-...

scotty79 12/19/2025|||

It's worth interacting with all models. In my experience, for programming questions grok delivered better answers than ChatGPT (and Claude) often enough that at some point I wasn't sure which model I should be asking first.

kernal 12/19/2025|||

No, because it allows us to evaluate the type of person you are. For example, I can tell you're a member of Bluesky.

walterbell 12/19/2025||

Which AI providers have access to real-time Twitter data?

2gremlin181 12/19/2025|||

Genuinely curious, what are some use cases that you require live Twitter data in your LLM for?

walterbell 12/19/2025||

The topic of this HN thread: security, which is ever-evolving.

blibble 12/19/2025||||

when has anything of value been posted on twitter?

sroussey 12/19/2025|||

Ones with better answers. Twitter dumbs down grok.

robertpohl 12/19/2025||

If a friend have this camera, shuld he be worried?

tamimio 12/19/2025||

Per the article, the attacker can restart the camera and potentially find the accurate position of it. However, if the attacker can be physically in proximity within the camera range, they can MITM it and intercept the video feed. So it depends on your friend's threat model. If the camera is recording something in a public location and they don't mind the location being exposed and potentially the video feed (like plenty of live public cameras), then it shouldn't be an issue. Otherwise, they need to disable it until it gets fixed.

reddalo 12/20/2025||

> they can MITM it

Can they? I thought they could only do it if they're in the same LAN.

defraudbah 12/20/2025||

the exploit is to make camera disconnect and connect to your wifi, that's how they MITM, pretty long process unless you do it often

buddhistdude 12/20/2025||

could be automated though?

defraudbah 12/20/2025||

yes, everything can be automated, and as you people don't always have time to automate everything, so it depends if your area has many c200 which is a home camera, not outdoor

buddhistdude 12/19/2025|||

not necessarily worried, but like put on some pants before entering the room

userbinator 12/19/2025|||

If it's isolated from the Internet, no.

g5pw 12/19/2025|||

As @tehlike said in a sibling comment, it looks like it is supported by https://thingino.com, so you can 'update' the firmware to a more secure (and FOSS) one!

sciencejerk 12/19/2025||

Yep

magmostafa 12/19/2025||

This is exactly why network segmentation is critical for IoT devices. I always recommend putting all smart cameras and IoT devices on a separate VLAN with no direct internet access - only local network access through a firewall with strict egress rules.

For anyone concerned about their TP-Link cameras, consider: 1. Disable UPnP on your router 2. Use VLANs to isolate IoT devices 3. Block all outbound traffic except specific required endpoints 4. Consider replacing stock firmware with open alternatives when available 5. Regularly check for firmware updates (though as this article shows, updates can be slow)

The hardcoded keys issue is particularly troubling because it means these vulnerabilities persist across the entire product line. Thanks for the detailed writeup - this kind of research is invaluable for the security community.

alexfoo 12/19/2025||

A friend once asked me to do some pen-testing on a machine he was running on his home network. He said I'd need to come round to his house to do this as he didn't want to provide access to the machine via the Internet. Fair enough.

When he opened his front door the conversation went something like this:

    Him: "Ah hello, thanks for coming round to do this. It should be fun, come in and we can get started."
    Me: "OK, but I'm already done."
    Him: "What?"
    Me: "I'm done. I've already got root on the machine and I left a little text file in root's home directory as proof."
    Him: "What? But ... what? Wifi?"
    Me: "Nope. Let me in and I'll explain how."

The short story is he had an PoE IP-based intercom system on his front gate. I remembered this from when he was going on about his plans for his home network setup and how amazing PoE was and how he was going to have several cameras etc. I also remember seeing the purple network cable sticking out of the gate pillar whilst the renovation work was being done and the intercom hadn't yet been installed.

I'd arrived 45 minutes early, unscrewed the faceplate of the intercom system and, with a bit of wiggling, I got access to a lovely Cat-5 ethernet jack. Plugging that into my laptop I was able to see his entire home network, the port for the intercom was obviously not on its own VLAN. Finding and rooting the target machine was a different matter but those details are not relevant to this story.

I suppose I got lucky. He could have put the IoT devices on separate VLANs. He could have had some alerting setup so that he'd be notified that the intercom system had suddenly gone offline. He could have limited access to the important internal machines to a known subset of IPs/ports/networks.

He learned about all of the above mitigations that day.

I've always wondered just how many people have exposed their own internal network in a similar way when trying to improve their external security (well, deterrent, not really security) but configuring it poorly.

vsgherzi 12/20/2025|||

Not relevant? That’s the best part! Spill it!

tguvot 12/20/2025|||

enforcing 802.1x on switch is also good solution, especially for "external" ports.

onlydnaq 12/20/2025||

802.1x is quite trivial to bypass if you have an authenticated device (in this case the intercom) that you can transparently bridge[1].

[1]. https://www.defcon.org/images/defcon-19/dc-19-presentations/...

tguvot 12/20/2025||

it still will block or slow down many.

802.1x is commonly deployed with macsec. will it be also trivial to bypass ?

justsomehnguy 12/21/2025||

Did you ever seen an intercom or IP camera with macsec support?

tguvot 12/21/2025||

yes

for example https://newsroom.axis.com/en-us/press-release/macsec-zero-tr...

justsomehnguy 12/21/2025||

That's great.

Now we need to get an enterprise grade switch - doubt Cisco would add macsec into SOHO gear. Along with enterprise grade intercoms, cameras, doorbells...

And beloved by many Unifi is out of question - they still can't bake IPv6 support.

So looks like it's feasible but the cost wouldn't be good.

ADD: also read this article: https://news.ycombinator.com/item?id=41531699

tguvot 12/21/2025|||

i well familiar with macsec. we use it between datacenters and for aws directlink. it de-facto standard for this kind of stuff. i even worked on hardware that provided macsec support

a couple of years ago I tried to use it inside datacenter during fedramp implementation. it crashed and burned for a couple of reasons:

- linux wpa_supplicant was crashing during session establishment

- switch had a limit on number of macsec session per port

alexfoo 12/22/2025|||

Looks like some Ubiquiti UniFi switches (definitely SOHO) support 802.1x

justsomehnguy 12/23/2025||

802.1x != MACSEC

dpkirchner 12/20/2025|||

I have my cameras connected to a N150 server running hostapd and dnsmasq and no IP forwarding. That server runs Frigate. I figured if I need a server anyway it might as well be the AP.

It's a little bit of a pain to set up the cameras because of the mobile app. I have to connect to the AP on my phone and as it doesn't have internet access my phone nags me, and this specific model doesn't have an external antenna. If it did I think it might be the ideal setup.

realcul 12/19/2025||

do you happen to have a guide on how to achieve this - I am fairly technical but still configuring Vlans and moving devices there would be good with some step by step instructions.

syntaxing 12/20/2025|||

Are you running Ubiquiti hardware? If so, should be very straight forward (one of the main reasons I went back to Ubiquiti stuff after running my own OPNsense router) https://lazyadmin.nl/home-network/unifi-zone-based-firewall/

tapland 12/20/2025||||

P. Sure the camera in question breaks in fun ways. From my observations because it can’t update it’s time, so messing with it a bit leaving to a need to update, downgrade, block from the web again.

But it’s worth trying

defraudbah 12/20/2025|||

depends on your router, but you would want to stick to onvif or rtsp and connect to the camera using some sort of tailscale. Don't fail for installing open source firmware, there is only thingino and openipc, both are hard to install if you are a beginner, even if people say it's easy for technical specialist, it's not

cromka 12/21/2025||

They're also limited to older hardware, newer 3K+ cameras aren't supporter. Different chip in use, I guess, or there manufacturers have learned to sign this firmware and burn in the keys.

jammo 12/19/2025|

[dead]