Comment by bri3d

Comment by bri3d 11 hours ago

18 replies

View on Hacker News

The device should ideally have some kind of secret material derived per device, like a passphrase generated from an MCU serial number or provisioned into EEPROM and printed on a label on the device.

Some form of "enter the code on the device" or "scan the QR code on the device" could then mutually authenticate the app using proof-of-presence rather than hardcoded passwords. This can still be done completely offline with no "cloud" or other access, or "lock in"; the app just uses the device secret to authenticate with the device locally. Then the user can set a raw RTSP password if desired.

This way unprovisioned devices are not nearly as vulnerable to network-level attacks. I agree that this is Not Awful but it's also Not Good. Right now, if you buy this camera and plug it into a network and _forget_ to set it up, it's a sitting duck for the time window between network connection and setup.

mtlynch 10 hours ago

I agree that would be nice, but it also doesn't sound all that practical for a small vendor.

I used to sell a home networking device,[0] and I wouldn't do what you're describing. If there were an issue where the labels calculate the wrong password or the manufacturer screws up which device gets which label, you don't find out until months later when they're in customer hands and they start complaining, and now you have to unwind your manufacturing and fulfillment pipeline to get back all the devices you've shipped.

All that to protect against what attack? One where there's malicious software on the user's network that changes the device password before the user can? In that case, the user would just not use the camera because they can't access the feed.

[0] https://mtlynch.io/i-sold-tinypilot/

Reply View 5 replies
  • bri3d 10 hours ago

    Ha! I actually use TinyPilot all the time, nice!

    > I agree that would be nice, but it also doesn't sound all that practical for a small vendor.

    Personalizing / customizing per device always introduces a huge amount of complexity (and thus cost). However, this is TP-Link we're talking about, who definitely have the ability to personalize credentials at scale on other product lines.

    And again, to be clear, I'm not trying to argue that the current way is some horrible disaster from TP-Link, just advocating for a better solution where possible. I think the current system reads as fine, honestly, it sounds like typical cobbled together hardware vendor junk that probably has some huge amount of "real" vulnerability in it too, but this particular bit of the architecture doesn't offend me badly.

    > now you have to unwind your manufacturing and fulfillment pipeline to get back all the devices you've shipped.

    This can be avoided with some other type of proof-of-presence side channel which doesn't rely on manufacturing personalization - for example, a physical side-channel like "hold button to enable some PKI-based backup pairing or firmware update mode." For a camera, there should probably be an option to make this go away once provisioning is successful, since you don't want an attacker performing an evil maid attack on the device, but for pre-provisioning, it's a good option.

    Reply View 0 replies
  • chrisweekly 8 hours ago

    Slight tangent: I just read your Tiny Pilot blog post, which was interesting and worthwhile. Thanks for sharing that!

    Reply View 0 replies
  • kelnos 10 hours ago

    TP-Link is far from being a small vendor, though.

    Reply View 2 replies
    • mtlynch 10 hours ago

      Ah, I see. I thought OP used TP-Link for their router. I missed that Tapo (the camera manufacturer) is a subsidiary of TP-Link.

      Reply View 0 replies
    • creeble 10 hours ago

      I think he has it backwards: Easy for a small vendor, very hard for a large one.

      Reply View 0 replies
crowfunder 8 hours ago

> The device should ideally have some kind of secret material derived per device, like a passphrase generated from an MCU serial number or provisioned into EEPROM and printed on a label on the device.

It is better than simple secret like 12345678 but it can go wrong too, like in the case of UPC UBEE routers where the list of potential passwords can be narrowed down to like ~60 possibilities using a googled generator [1] whilst knowing only the SSID.

It did require firmware reverse engineering to figure out [2][3] but applies to most devices I've encountered. User should ideally always change the default password regardless.

[1] https://upcwifikeys.com/UPC1236567

[2] https://deadcode.me/blog/2016/07/01/UPC-UBEE-EVW3226-WPA2-Re...

[3] https://web.archive.org/web/20161127232750/http://haxx.in/up...

Reply View 0 replies
yannyu 11 hours ago

AT&T routers, for example, ship like this. There's a wifi network and a wifi password printed onto the device.

But that also means then that often anyone with physical access can easily get into the device. The complicated password provides an additional layer of illusion of security, because people then figure "it's not a default admin password, it should be good". The fundamental problem seems to be "many people are bad at passwords and onboarding flows", and so trying variations on shipping passwords seem to result in mostly the same problems.

Reply View 6 replies
  • some_random 11 hours ago

    If you have physical access you can just factory reset the device and onboard it with the normal flow though

    Reply View 3 replies
    • yannyu 10 hours ago

      That's fair, though at least resetting would indicate that an attack happened. Default passwords and printed passwords can result in undetected attacks, which are arguably worse.

      Reply View 1 reply
      • some_random 8 hours ago

        It doesn't change anything in this case though, you can't use the default password against a tp-link device after it's been onboarded.

        Reply View 0 replies
    • [removed] 10 hours ago
      [deleted]
      Reply View 0 replies
  • recursive 9 hours ago

    I feel seen. Why is the security illusory? I still don't understand the problem with this. Is the concern that someone will break into my house to covertly get access to my wifi password?

    Reply View 0 replies
  • mystifyingpoi 10 hours ago

    Same with Orange branded ones. There is even a QR code that you can scan on your phone - no more typing 16-24 hex characters.

    It's hard to decide whether it's good or bad. It is definitely easier. Which I guess matters most in consumer grade routers.

    Reply View 0 replies
miki123211 8 hours ago

These may be illegal in some jurisdictions due to accessibility laws, and are a bad idea in general, for these reasons as well as unattended configuration scenarios.

Reply View 0 replies
some_random 11 hours ago

If you buy the camera, plug it in, and forget to set it up, you just flat out can't use it right? I agree that proof of presence is way better but how many people are seriously going to be affected?

Reply View 2 replies
  • bri3d 11 hours ago

    No, if you buy the camera, plug it in, and forget to set it up, then someone can use the default password and key material stored in the app to pretend to be the app and provision it on your behalf.

    That's the only real vulnerability here, and it's no big deal, but it is A Thing and there is definitely a better way to do this that doesn't lose the freedom of full-offline.

    Reply View 1 reply