TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy

Posted by sibellavia 4 days ago

TP-Link Tapo C200: Hardcoded Keys, Buffer Overflows and Privacy(www.evilsocket.net)

345 points | 122 commentspage 2

tills13 4 days ago|

I have a few of these that I use with unifi for non-critical things over ONVIF and there's a reason they are on a separate vlan and not allowed to access the internet... Thankfully they don't die when you block them from phoning home.

SilverElfin 4 days ago||

So which camera brand has adequately designed software? It’s hard to know as a consumer what to trust or not trust, because how do you evaluate the quality of their work when the device SEEMS to work as expected? Is Ring the only choice?

ssl-3 4 days ago||

If the firmware is not open and buildable, then it can only be an untrustable black box.

If you don't want untrustable black boxes hanging around, then your options become pretty limited.

You can DIY something with an SBC like a Raspberry Pi or whatever. You can hang USB cameras off of your computers like it's 2002 again. You can try to find something that OpenIPC or thingino or whatever supports. (You'll never finish with this project as the years wear on, the hardware fails, product availability ebbs and flows, and the scope changes. Maybe that sounds like a fun way to burn time for someone, but it doesn't sound like fun to me.)

Or, you can accept that the world is corrupted -- and by extension, the cameras are also all corrupted.

The safe solution is then actually pretty simple: Use wired-only cameras that work with Frigate (or whatever your local NVR of choice may be), keep them on their own private VLAN that lacks Internet access, and don't worry about it.

The less-safe solution is also pretty simple: Do what everyone else is doing, and just forget the problem exists at all. Switch your brain off, buy whatever, and use it. (And if there's an area that you don't want other people to see, then: Don't put a camera there.)

(We probably are not as interesting as we may think we are, anyway.)

notjosh 4 days ago||

I've installed Thingino on my cameras such as this. Cheap camera + custom (local only!) firmware is a good solution imo.

No guarantee that it'll be perfect either, obviously, but it's open source and actively maintained. Highly recommended.

dns_snek 3 days ago||

Thingino is great for many other reasons but security is not one of them - definitely segregate those cameras on a locked down VLAN. The web interface is HTTP-only and it uses the same credentials as root SSH access on the camera, and most of the web ui handling code is highly questionable to say the least.

mlaretallack 4 days ago||

Very interesting, I had a go with Ghidra and AWS Amazon Q, used it to reverse the video feed on a toy drone. I did not think to look for GhidraMCP, would of made it a lot quicker.

defraudbah 4 days ago||

I used this website to research the camera https://drmnsamoliu.github.io/

nine_k 4 days ago||

I more and more tend to not buy any network-connected product if there's no open-source firmware to run on it.

(Phones is one notable exception. I need contactless payments to work.)

tehlike 4 days ago||

Good thing some tapos do have alternative firmware like thingino.

dns_snek 3 days ago||

You should still treat it as radioactive waste. Protect it and protect yourself from it - segregated VLAN, no internet access, just like you would do with official firmware.

mindslight 4 days ago||

If you call up your contactless payment provider, most will send you a physical device that will do contactless payments on its own, for free even. You can tape it to the back of your phone, or anywhere else for that matter.

chatmasta 4 days ago||

Also, your phone doesn’t need to be connected to the internet for contactless payments, anyway.

shreddit 4 days ago||

As soon as i read the author used grok as an ai assistant, i was somehow less interested to keep on reading. Not because of the usage of ai, but the chosen provider. (I don’t know whether grok is just the best choice for this kind of work.)

Is it wrong to judge people for their choice of ai providers?

sva_ 4 days ago||

I think when your political views cloud your ability to take in information on an objective level, it might be bad.

wh0thenn0w 4 days ago||

You can just not like Elon, doesn't have to be political at all.

vablings 4 days ago|||

I think it's hard to say. Grok is pretty good and also fairly free with good usage limits.

Every single AI company in my opinion is committing fairly grave misdeeds with the ruthless scraping of the internet and lack of oversight.

Not to mention the shady backdoor deals going on with big tech and the current administration.

Grok is also pretty bad with its whole gas turbines in one state and datacenter in another and some possible environmental issues

It's more of a pick your poison at this point

wyldfire 4 days ago||

> also fairly free with good usage limits.

But doesn't it need to have such free usage in order to overcome image problems? Referring to itself as a Nazi [1][2] for example.

[1] https://www.npr.org/2025/07/09/nx-s1-5462609/grok-elon-musk-...

[2] https://www.politico.com/news/magazine/2025/07/10/musk-grok-...

scotty79 4 days ago|||

It's worth interacting with all models. In my experience, for programming questions grok delivered better answers than ChatGPT (and Claude) often enough that at some point I wasn't sure which model I should be asking first.

kernal 4 days ago|||

No, because it allows us to evaluate the type of person you are. For example, I can tell you're a member of Bluesky.

walterbell 4 days ago||

Which AI providers have access to real-time Twitter data?

2gremlin181 4 days ago|||

Genuinely curious, what are some use cases that you require live Twitter data in your LLM for?

walterbell 4 days ago||

The topic of this HN thread: security, which is ever-evolving.

blibble 4 days ago||||

when has anything of value been posted on twitter?

sroussey 4 days ago|||

Ones with better answers. Twitter dumbs down grok.

robertpohl 4 days ago||

If a friend have this camera, shuld he be worried?

tamimio 4 days ago||

Per the article, the attacker can restart the camera and potentially find the accurate position of it. However, if the attacker can be physically in proximity within the camera range, they can MITM it and intercept the video feed. So it depends on your friend's threat model. If the camera is recording something in a public location and they don't mind the location being exposed and potentially the video feed (like plenty of live public cameras), then it shouldn't be an issue. Otherwise, they need to disable it until it gets fixed.

reddalo 4 days ago||

> they can MITM it

Can they? I thought they could only do it if they're in the same LAN.

defraudbah 4 days ago||

the exploit is to make camera disconnect and connect to your wifi, that's how they MITM, pretty long process unless you do it often

buddhistdude 3 days ago||

could be automated though?

defraudbah 3 days ago||

yes, everything can be automated, and as you people don't always have time to automate everything, so it depends if your area has many c200 which is a home camera, not outdoor

buddhistdude 4 days ago|||

not necessarily worried, but like put on some pants before entering the room

userbinator 4 days ago|||

If it's isolated from the Internet, no.

g5pw 4 days ago|||

As @tehlike said in a sibling comment, it looks like it is supported by https://thingino.com, so you can 'update' the firmware to a more secure (and FOSS) one!

sciencejerk 4 days ago||

Yep

jammo 4 days ago|

[dead]