Kasa camera flaw allows enumerating usernames for credential stuffing

The hacker who happens to be a hobbyist farmer and Kasa camera…
Kasa camera flaw allows enumerating usernames for credential stuffing


Most of the time, when security researchers come across vulnerabilities, they are looking for them by scanning devices in and out. This time though in the latest, a hobbyist farmer was only looking to catch someone eating his cucumber plant’s leaves when he stumbled upon flaws in a Kasa camera.

Set in position, Jason Kent from Cequence Security installed the camera’s mobile app in order to see the photos from the camera that was pointed towards his plant. These photos, he says, were being transmitted by the app connecting over the network directly to the camera but could also be seen even if he himself wasn’t connected to the network.

See: Techie buys Axon body camera from eBay; finds unencrypted police videos

Naturally concerned, Kent took a closer look which revealed several problems at bay. Firstly looking over the encryption of the data transmission, he found out that even though SSL was being used, the certificate wasn’t pinned making it “easy to open it up and look at the transactions”.

Secondly, it was revealed that Base64 encoding was being used for the user credentials instead of additional and more secure measures such as hashing which isn’t exactly the best thing to do when protecting a network.

Moving on, in a blog post, Kent explains another vulnerability in detail:

Of equal concern to me was that the authentication to the web platform, not the direct connection to the camera, was giving very verbose API error messages. Since I used my email address as my username, as most do on this platform, a simple set of requests would allow for enumeration of the user accounts on the platform.

The verbose messages mentioned by Kent happen to be the following:

  • Wrong username message: {“error_code”:-20600,”msg”:”Account not found”}
  • Wrong password message: {“error_code”:-20601,”msg”:”Password incorrect”}

As one would reason, these error messages could allow an attacker to easily collect a list of legitimate usernames and then conduct password attacks through techniques such as credential stuffing.

To conclude, as with every vulnerability revelation, the matter was reported to Kasa’s parent company, TP-LINK on the 5th of March 2020.

Soon after a couple of information exchanges, they got back with a new version of the firmware on June 11 2020 for both the application and the camera itself addressing the SSL pinning and Base64 encoding problem. However, the error message issue still remains with the company stating that it plans to fix it in the future.

See: White hat hackers infect Canon DSLR camera with ransomware

A takeaway from this entire report is that only putting in measures such as SSL is not enough, implementing them the right way and according to best practices should be the priority of every developer. Furthermore, as Kent suggested, error messages should be very limited in the information they convey to users so that they are not misused by threat actors.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts