Reverse Engineering TP-Link Tapo Camera: From Pet Monitoring to Security Analysis
By
kennedn
Hand-rolled, kettle-boiled, baked to perfection. Worth every minute at the bakery.
Summary
A user purchased a TP-Link Tapo indoor camera to monitor their dog but became frustrated with the setup process and lack of documentation. This led them to reverse-engineer the camera's onboarding flows, decompile the APK, perform TLS session MITM attacks, and write cryptographic scripts to understand how the camera works and integrate it with frigate home surveillance software.
Key quotes
· 3 pulledI ended up reverse-engineering onboarding flows, decompiling an APK, MITMing TLS sessions, and writing cryptographic scripts
My main motivation for this project really stemmed from the fact that the camera annoyed me from day one
Setting the camera up in frigate was quite painful, no one really seemed to know how these cameras worked online
Article URL: https://kennedn.com/blog/posts/tapo/
Comments URL: https://news.ycombinator.com/item?id=45251690
Points: 3
# Comments: 1
You might also wanna read
Apple publishes corecrypto with formal verification proofs for quantum-secure ML-KEM and ML-DSA algorithms
Apple has published the corecrypto library containing quantum-secure ML-KEM and ML-DSA algorithms, along with formal verification proofs tha
security.apple.com·9d ago
Security researchers adapt Pixel 9 exploit chain to target Google Pixel 10
This article describes how security researchers adapted an exploit chain originally developed for the Google Pixel 9 to work on the Pixel 10
projectzero.google·17d ago
Technical Analysis: Exploiting the Tesla Wall Connector via Charge Port Firmware Manipulation
This article details the technical process of exploiting a Tesla Wall Connector through its charge port connector. It describes the firmware
synacktiv.com·17d ago
Researchers demonstrate first public macOS kernel memory corruption exploit on Apple M5 silicon
Researchers report the first public macOS kernel memory corruption exploit on Apple's M5 silicon, successfully bypassing Apple's MIE (Memory
blog.calif.io·17d ago
How to Modify a Doorking Apartment Intercom for Apple Home Automation
A detailed technical guide about modifying a Doorking 1834-080 apartment intercom system to integrate with Apple Home automation after the a
%3B%22%2F%3E%0A%20%20%20%20%3Cg%20transform%3D%22matrix(1.03462%2C0%2C0%2C1.04743%2C-37.3869%2C-51.2286)%22%3E%0A%20%20%20%20%20%20%20%20%3Cpath%20d%3D%22M238.356%2C824.795C214.991%2C824.795%20196.991%2C820.321%20184.355%2C811.372C171.719%2C802.423%20165.401%2C790.413%20165.401%2C775.341C165.401%2C762.153%20170.05%2C752.027%20179.348%2C744.962C188.646%2C737.897%20199.494%2C734.365%20211.892%2C734.365C224.289%2C734.365%20235.256%2C737.073%20244.793%2C742.489C254.329%2C747.906%20263.151%2C757.208%20271.257%2C770.396L284.131%2C792.297C286.515%2C795.594%20289.495%2C797.242%20293.071%2C797.242C296.648%2C797.242%20299.151%2C795.123%20300.581%2C790.884C303.442%2C781.464%20305.469%2C767.688%20306.661%2C749.554C307.853%2C731.421%20308.449%2C709.402%20308.449%2C683.498C308.449%2C653.825%20307.734%2C615.675%20306.303%2C569.047C304.873%2C522.418%20303.442%2C464.957%20302.012%2C396.663C302.012%2C376.411%20294.383%2C363.694%20279.124%2C358.513L262.674%2C352.861L262.674%2C345.796L450.067%2C345.796L450.067%2C352.861L434.331%2C358.513C425.749%2C361.81%20419.907%2C366.167%20416.808%2C371.583C413.709%2C376.999%20412.159%2C384.653%20412.159%2C394.544L412.159%2C534.429C412.159%2C580.586%20410.013%2C618.736%20405.722%2C648.88C401.43%2C679.023%20394.516%2C705.163%20384.98%2C727.3C373.059%2C758.856%20353.628%2C782.995%20326.688%2C799.715C299.747%2C816.435%20270.303%2C824.795%20238.356%2C824.795Z%22%20style%3D%22fill%3Argb(243%2C244%2C246)%3Bfill-rule%3Anonzero%3B%22%2F%3E%0A%20%20%20%20%20%20%20%20%3Cpath%20d%3D%22M477.246%2C812.079L477.246%2C805.014L491.551%2C799.362C501.087%2C796.065%20507.405%2C791.59%20510.504%2C785.938C513.604%2C780.287%20515.154%2C772.986%20515.154%2C764.037L515.154%2C394.544C515.154%2C385.124%20513.604%2C377.588%20510.504%2C371.936C507.405%2C366.284%20501.087%2C361.81%20491.551%2C358.513L477.246%2C352.861L477.246%2C345.796L658.917%2C345.796L658.917%2C352.861L646.758%2C357.806C637.698%2C361.103%20631.499%2C365.46%20628.162%2C370.876C624.824%2C376.293%20623.155%2C383.711%20623.155%2C393.131L623.826%2C556.699L794.097%2C556.344L794.097%2C393.131C794.097%2C383.711%20792.548%2C376.293%20789.448%2C370.876C786.349%2C365.46%20780.031%2C361.103%20770.494%2C357.806L757.62%2C352.861L757.62%2C345.796L940.006%2C345.796L940.006%2C352.861L925.701%2C358.513C916.642%2C361.81%20910.443%2C366.284%20907.105%2C371.936C903.767%2C377.588%20902.098%2C385.124%20902.098%2C394.544L902.098%2C764.037C902.098%2C772.986%20903.767%2C780.287%20907.105%2C785.938C910.443%2C791.59%20916.642%2C796.065%20925.701%2C799.362L940.006%2C805.014L940.006%2C812.079L757.62%2C812.079L757.62%2C805.014L770.494%2C800.775C780.031%2C797.007%20786.349%2C792.415%20789.448%2C786.998C792.548%2C781.582%20794.097%2C774.164%20794.097%2C764.744L794.333%2C587.973L623.007%2C587.627L623.155%2C764.744C623.155%2C782.171%20631.022%2C794.181%20646.758%2C800.775L658.917%2C805.014L658.917%2C812.079L477.246%2C812.079Z%22%20style%3D%22fill%3Argb(243%2C244%2C246)%3Bfill-rule%3Anonzero%3B%22%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%3C%2Fsvg%3E)
jackhogan.me·2mo ago
Extracting Lego NXT Firmware and Discovering Arbitrary Code Execution Vulnerabilities
The article details the process of dumping firmware from a Lego NXT Mindstorms brick, which led to the discovery of arbitrary code execution