Overview

Recently, TP-Link fixed a high-risk vulnerability in the C200 IP camera.

A user’s hashed password can be found in the memory dump by using the discovered Heartbleed vulnerability exposed on TCP port 443. The hash was then used for a pass-the-hash attack by exploiting the login process on the API. This caused a login token called “stok” to be issued, which could be used to authenticate to the device as the user.

Later, an attacker could perform authenticated operations, such as moving the camera’s motor, formatting the SD card, creating an RTSP account to view the camera’s video feed, and disabling the privacy mode.