Blog: Internet Of Things
All your video are belong to us part 2. The TP Link TL-SC3230’s CSRF
This follows hot on the heels of my previous camera post All your video are belong to us. The Foscam webcam.
How to hack the TP Link TL-SC3230
…and send frames of its feed to a server of your choice.
We’ve just had a response from TP Link to say that this firmware will not be upgraded as the camera is out of support / end of life. Since I just bought it as new on Amazon with no indication that this is the case, I would probably recommend a little more background research than I’ve done before you purchase any new kit!
Because the TP Link device does not protect against Cross Site Request Forgery attacks, it is possible to create a web page which would start emailing all video frames to a server of the attacker’s choice.
Essentially the only difference is a few headers like Referer. The cookies for the site get sent automatically by the browser so you cannot just rely on a valid session cookie. (In this case, the camera uses Basic Auth, but that also gets sent automatically if you’ve asked for it to be remembered, so in some ways that’s even worse as there’s no session timeout.)
Anyway, because we think the TP-Link is likely to be on a home network, and we can read the computer’s own IP address on some browsers, we can spray the CSRF around the local network. In this PoC I’ve chosen to match on something like 192.168.1-10/24 and then send the attack to every address on whatever network we find.
This isn’t anything like production quality and was only hacked together to prove the point:
And here’s the two files that are invoked as IFRAMEs. As with the Foscam, one does configuration, the other does scheduling:
If you visit the first file, hosted on a webserver, it fakes two POSTs to each IP address on the local network, which the camera can’t distinguish from genuine user-initiated commands.
A quick fix would be to check the Referer header is sensible before acting upon any POST requests.
This is the screenshot showing the CSRF spray on the left, and the email starting to flow in on the right.
Owners: As the bug isn’t being fixed you could consider replacing the camera. If you are sticking with it however you’ll need to be careful.
This is the manufacturers advice:
“…try to fix it by cleaning the cookies of the web browser and don’t check remember password.”
IoT vendors: These devices have a long lifespan, so think carefully about pulling support from product that is still being sold. You run the risk of damaging your brand.