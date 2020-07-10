Infosecurity Group Websites
Latest
News

Vulnerability Found in Kasa Camera

A hobby farmer on the hunt for a vegetable-eating critter has discovered a flaw in a popular outdoor home security camera. 

Midwesterner Jason Kent purchased a Kasa camera to help identify whatever creature it was that had been eating his cucumber plants. In addition to uncovering the antics of a groundhog, Kent was alarmed to discover an account takeover (ATO)/credential stuffing vulnerability in the security device.

Kent said: “Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network, I still could see the images from my camera on the mobile app. As a security professional, this concerned me.”

Kent, who is hacker-in-residence at Cequence Security, said the cybersecurity flaw he found in the device could allow a bad actor to spy on a user's home and change the camera’s settings.

“This API vulnerability makes it easier for a cyber-criminal to take over someone’s Kasa camera account and then use that access to change passwords, modify camera settings, view private security footage or use it to surreptitiously snoop on a user’s home,” he said.

Through further investigation, Kent discovered that although the Kasa’s mobile application uses SSL, the SSL certificate wasn’t pinned. This made it “easy to open it up and look at the transactions.”

“I also found that the authentication is simply BASE64 encoded username:password being passed under SSL,” said Kent. 

“Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate.”

Of equal concern to Kent was the finding that the authentication to the web platform was giving “very verbose” API error messages included phrases such as “password incorrect.” Kent posits that this could leave users who set up their username as their email address vulnerable to cyber-attack.

Kent reported his concerns to TP-LINK, parent company of the Kasa brand, in March 2020. On June 15, the company said that the vulnerability he found would be fixed. At time of publication, the flaw had still not been remedied.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

SurveyMonkey Phishers Go Hunting for Office 365 Credentials

2
News

HSBC SMS Phishing Scam Targets UK Victims

3
News

Cyber-Attack Downs Alabama County’s Network

4
News

Microsoft Confirms Takedown of Phishing Domains

5
News

Zoom Zero-Day Bug Hits Legacy Windows Users

6
News

German Police Seize BlueLeaks Server

1
News

Californian Jailed Over Identity Theft Scheme Targeting Military

2
News

SANS Institute Cyber-Skills Game Now Available in Middle East

3
News

Vulnerability Found in Kasa Camera

4
News

Cloud Adoption Held Back by Data Loss and Compliance Fears

5
Interview

Interview: John Hertrich, President and CEO, Identité

6
News

Google Bans Stalkerware Ads From its Pages

1
Webinar

ISO 27701: The New Privacy Standard, and How You Can Get Certified and Compliant

2
Webinar

The Impact of Artificial Intelligence on Cyber-Resilience

3
Webinar

From Governance to Implementation to Results

4
Webinar

Building Remote Resilience: A Secure by Design Approach to Remote Working

5
Webinar

Mitigating the Security Risks and Challenges of Office 365

6
Webinar

Key Technologies, Strategies and Tactics to Fight Phishing

1
News Feature

Industry Figures Make #VersusRacism Pledge

2
Interview

Interview: Lior Div and Cybereason’s ‘UbU’ Diversity, Equity and Inclusion Mission

3
Blog

Busting the Top Myths About Privileged Access Management

4
Opinion

SIM Swap - The Silent Hacker

5
News Feature

Effective Cybersecurity in Hospitals During #COVID19 and Beyond

6
Webinar

The CCPA Enforcement Era Begins: What to Expect from California’s Privacy Act