Nice project, great to see the scripts doing good work in the wild. If you needed any extra additions or tweaks to get them working, I'd love to hear about it.
Http toolkit is one of the best software i have used. I have used mitmproxy, proxyman and charles proxy and httptoolkit is the best and is open source too.
> SIDENOTE: If you want 2 way audio to work in frigate you must use the tapo:// go2rtc configuration for your main stream instead of the usual rtsp://. TP-Link are lazy and only implement 2 way audio on their own proprietary API.
Annoyingly when this is in use, I can't use ONVIF which seems like the only way to pan and tilt the camera using open tools. So if I want to use two way audio and also control the camera, I have to stop the process reading tapo:// stream, start onvif client and rotate, turn off onvif client and start streaming using tapo:// again
IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning.
Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.
There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit. So unless your router is participating in a DDoS or mining bitcoins it doesn't really matter how secure it is.
Most people are using routers given to them (and configured by) their ISP... so really they are blackboxes connected to an upstream blackbox for most people.
I am always surprised by how many people give me their ISP chosen router name and ISP chosen password when I connect to their WiFi. I don't want to give my ISP that much control.
Most people only care about how strong the signal is when buying a router, but almost no one checks if the firmware is outdated, or bothers to change the default password or disable remote access. And manufacturers rarely remind you either, so over time it just becomes a hidden risk.
The stuff on the shelf, sure, but you can always go 'prosumer-grade' like Ubiquiti or Mikrotik for hardware that actually receives timely updates and has competently written firmware.
Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.
But some people do genuinely have use cases for cloud speaking IoT stuff.
Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.
Personally I treat any ISP provided (or big box store) router as compromised anyway. I install my own router as a replacement, or if not possible, just as the sole device downstream of it, and connect all my stuff to my own router. And I use Tailscale + other routing DNS servers, etc.
Fritzbox brand and possibly others updates itself automatically by default. ISPs often also control the devices they ship to clients and install updates as part of a "fleet management".
Nitpick but "known CVEs" doesn't mean a vulnerable device. The majority of CVEs in your NAT box sw (aside: NAT is not routing) are going to be things like "insecure temp file handling".
Your point of course stands, the situation is terrible.
really like how this blog is written. a lot of writeups like this recently have been generated by an LLM, and it's quite distracting to read - this was a pleasant surprise. it strikes a good balance between technical and laid-back
(yes i know the cover image is AI-generated, that's incidental to the content)
I've been blocking by default bigger media files with uBlock Origin to avoid needless resource usage. Cover images are typically blocked, and they are usually useless anyway.
It's too bad people spend energy for generating them now.
It's a hardcoded default password, not a permanent backdoor. If I'm understanding the post correctly, the user changes it as part of the onboarding flow.
This is the way most apps work if they have a default password the user is supposed to change.
I mean, given that it's updated after setup with the normal flow, I'm okay with it.
The thing I've most been convinced of in the past 5 years of building as much 'iot/smart home' stuff out as possible in my house is that nearly every vendor is selling crap that has marginal usefulness outside of a 'party trick' in isolation. Building out a whole smart home setup is frustrating unless it's all from one vendor, but there isn't one vendor which does all of it well for every need.
On my phone I have apps for: Ecobee, Lutron, Hue, 4 separate camera vendors[1], Meross, and Smart Life. Probably a couple more that I'm forgetting.
Only Lutron and Hue are reasonable in that they allow pretty comprehensive control to be done by a hub or HomeKit so I never have to use those apps.
It's been years since Matter and Thread were supposedly settled upon as the new standards for control and networking, but the market is, instead of being full of compatible devices, instead absolutely packed with cheap wi-fi devices, each of which is cloud-dependent and demands to be administered and even used day-to-day only through a pile-of-garbage mobile app whose main purpose is to upsell you on some cloud services.
[1] I admit the fact I have 4 is my fault for opportunistically buying cameras that were cheap rather than at least sticking with one vendor. But many people have a good excuse, perhaps one vendor makes the best doorbell camera, while another might make a better PTZ indoor camera.
I know people who are still using the router their ISP gave them, and they’ve never even changed the default password. The thing is, they don’t even know it can be updated, let alone that there might be security vulnerabilities. To most users, if the internet works, that’s all that matters.
As it should be. The problem is that for ISPs, "Internet works" is defined as minimum possible service level that doesn't cause active revolt of majority of customers.
Good hardware? Costs money. Connecting to anything that goes beyond Netflix and Facebook requirements? Costs money, operations isn't cheap. Anything unusual (so much so as being seen borderline criminal) as hosting your own server, email, or $deity forbid networking hardware? Forget it, support costs money.
I love little projects like this, but man does this make me glad things like Thingino exists. Installing the firmware takes like 5 minutes, a little self-hosted web configurator pops up, you put in an SSID and a password, the camera reboots, and its yours. We should not have to reverse engineer crap like this.
I used to get in the kind of frustrated situations where, like the author, I spent two days reverse-engineering something I had just bought just to get it to do what I thought it obviously would when I bought it.
IOT things like the thing he bought are (were) typically the worst kind of offenders.
I just don't do that anymore. It used to bring me pleasure cracking the nut, and that's not the case any longer.
These days, if it does not do what I need more or less out of the box, I just return it / send it back and research the follow-up buy better.
Does anyone have a good reference for which tapo cameras support rtsp? I have a c210 that works well (sort of, you can't use it with their cloud capture) and I have it working with frigate.
But today I got a c402 (outdoor) thinking I could use it to capture my son's soccer practice. But that doesn't have the camera account option under advanced.
I love the price point of these devices but the functionality is all over the place.
If anyone knows a good outdoor camera, preferably with solar panel, that is cheap and has an rtsp stream, please let me know.
You should still be able to use the tapo:// go2rtc stream source even if the camera does not support the rtsp:// via the camera account option. Have a look at my frigate configuration for reference - https://github.com/kennedn/frigate/blob/7c56604e819d2cb1da28...
I tried and failed at enough suggestions I found on the internet and via AI to cobble together a frigate configuration that eventually worked with the Tapo cameras.
RTC setup section:
go2rtc:
streams:
<Camera RTC name>:
- rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream1
- ffmpeg:<Camera RTC name>#audio=opus
- tapo://<Tapo cloud password>@<camera IP address>
<Camera RTC name>_sub:
- rtsp://tapoadmin:<local camera account password>@<camera IP address>:554/stream2
- ffmpeg:<Camera RTC name>_sub#audio=opus
- tapo://<Tapo cloud password>@<camera IP address>
* <Camera RTC name> is just any old short name you want to assign to the camera.
* <Camera name> is the main name for the camera that will be shown in the frigate UI
* <local camera account password> is something set individually on each camera (settings > Advanced > Camera Account, set it to On and setup username/password > Account Information)
* <Tapo cloud password> is the password setup for the Tapo app (I'm not sure how necessary this is, since there's nowhere that the username is specified... this is the only bit I'm fuzzy on)
This is the basics that works for me for the Tapo cameras. There are a boatload of other settings specific to Frigate (but not specific to Tapo cameras).
This is nowhere near as cool hack as the article, however.
Hello, as I alluded to in my blog post you should use tapo:// as the main stream source to get two-way audio. You can then optionally use rtsp://.../stream2 as a lower resolution sub stream source for detections. Defining both tapo:// and rtsp:// in a single stream is redundant as go2rtc only picks one or the other. My own configuration is here for reference https://github.com/kennedn/frigate/blob/7c56604e819d2cb1da28...
Not aware of a list or something, but before buying any appliance I try searching if it's "jailbreak-able".
For example I'll search if the router I want to purchase has guides to install openWRT on it, how hard it is to break out of the vendor software loop.
Recently even my Aircon had a mandatory app that it required to even finish installation. I got so pissed I dumped the firmware and reverse engineered the protocol enough to figure out how to set fan speed, temperature and mode. Sitting in the sweltering New Delhi heat really expedited the process.
At this point, I'd pay extra for a camera, thermostat, or doorbell that just does its job without demanding an account, a cloud link, and a monthly fee to unlock basic features
[+] [-] pimterry|6 months ago|reply
Nice project, great to see the scripts doing good work in the wild. If you needed any extra additions or tweaks to get them working, I'd love to hear about it.
[+] [-] kennedn|6 months ago|reply
frida -U \
-f com.tplink.iot[+] [-] cute_boi|6 months ago|reply
[+] [-] stavros|6 months ago|reply
[+] [-] bayesianbot|6 months ago|reply
Annoyingly when this is in use, I can't use ONVIF which seems like the only way to pan and tilt the camera using open tools. So if I want to use two way audio and also control the camera, I have to stop the process reading tapo:// stream, start onvif client and rotate, turn off onvif client and start streaming using tapo:// again
[+] [-] selinkocalar|6 months ago|reply
[+] [-] Gigachad|6 months ago|reply
[+] [-] cortesoft|6 months ago|reply
I am always surprised by how many people give me their ISP chosen router name and ISP chosen password when I connect to their WiFi. I don't want to give my ISP that much control.
[+] [-] ByteDrifter|6 months ago|reply
[+] [-] briHass|6 months ago|reply
[+] [-] protocolture|6 months ago|reply
I think IoT demands a rethink of security.
Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.
But some people do genuinely have use cases for cloud speaking IoT stuff.
Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.
[+] [-] pabs3|6 months ago|reply
[+] [-] java-man|6 months ago|reply
[+] [-] lazide|6 months ago|reply
[+] [-] lo0dot0|6 months ago|reply
[+] [-] teaearlgraycold|6 months ago|reply
[+] [-] fulafel|6 months ago|reply
Your point of course stands, the situation is terrible.
[+] [-] gnabgib|6 months ago|reply
The Tapo C200 research project https://drmnsamoliu.github.io/ (https://news.ycombinator.com/item?id=37813013)
PyTapo: Python library for communication with Tapo Cameras https://github.com/JurajNyiri/pytapo (https://news.ycombinator.com/item?id=41267062)
[+] [-] bstsb|6 months ago|reply
(yes i know the cover image is AI-generated, that's incidental to the content)
[+] [-] jraph|6 months ago|reply
It's too bad people spend energy for generating them now.
[+] [-] 201984|6 months ago|reply
[+] [-] tripdout|6 months ago|reply
(TP-Link Firmware Decryption C210 V2 cloud camera bootloaders) https://watchfulip.github.io/28-12-24/tp-link_c210_v2.html?u...
[+] [-] fnord77|6 months ago|reply
https://nvd.nist.gov/vuln/detail/CVE-2022-37255
[+] [-] downrightmike|6 months ago|reply
[+] [-] micah94|6 months ago|reply
[+] [-] mtlynch|6 months ago|reply
This is the way most apps work if they have a default password the user is supposed to change.
[+] [-] some_random|6 months ago|reply
[+] [-] xp84|6 months ago|reply
The thing I've most been convinced of in the past 5 years of building as much 'iot/smart home' stuff out as possible in my house is that nearly every vendor is selling crap that has marginal usefulness outside of a 'party trick' in isolation. Building out a whole smart home setup is frustrating unless it's all from one vendor, but there isn't one vendor which does all of it well for every need.
On my phone I have apps for: Ecobee, Lutron, Hue, 4 separate camera vendors[1], Meross, and Smart Life. Probably a couple more that I'm forgetting.
Only Lutron and Hue are reasonable in that they allow pretty comprehensive control to be done by a hub or HomeKit so I never have to use those apps.
It's been years since Matter and Thread were supposedly settled upon as the new standards for control and networking, but the market is, instead of being full of compatible devices, instead absolutely packed with cheap wi-fi devices, each of which is cloud-dependent and demands to be administered and even used day-to-day only through a pile-of-garbage mobile app whose main purpose is to upsell you on some cloud services.
[1] I admit the fact I have 4 is my fault for opportunistically buying cameras that were cheap rather than at least sticking with one vendor. But many people have a good excuse, perhaps one vendor makes the best doorbell camera, while another might make a better PTZ indoor camera.
[+] [-] HexPhantom|6 months ago|reply
[+] [-] jama211|6 months ago|reply
[+] [-] j45|6 months ago|reply
Network devices can at least be monitored and discovered like this.
[+] [-] pooloo|6 months ago|reply
[+] [-] jama211|6 months ago|reply
[+] [-] GuinansEyebrows|6 months ago|reply
[+] [-] ssgodderidge|6 months ago|reply
The fact that OP did all this work to find out the dog sleeps is pure hacker culture. Love to see it :)
[+] [-] ChaoPrayaWave|6 months ago|reply
[+] [-] TeMPOraL|6 months ago|reply
Good hardware? Costs money. Connecting to anything that goes beyond Netflix and Facebook requirements? Costs money, operations isn't cheap. Anything unusual (so much so as being seen borderline criminal) as hosting your own server, email, or $deity forbid networking hardware? Forget it, support costs money.
And so on.
[+] [-] wpm|6 months ago|reply
https://thingino.com
[+] [-] unknown|6 months ago|reply
[deleted]
[+] [-] unknown|6 months ago|reply
[deleted]
[+] [-] ur-whale|6 months ago|reply
IOT things like the thing he bought are (were) typically the worst kind of offenders.
I just don't do that anymore. It used to bring me pleasure cracking the nut, and that's not the case any longer.
These days, if it does not do what I need more or less out of the box, I just return it / send it back and research the follow-up buy better.
[+] [-] xrd|6 months ago|reply
But today I got a c402 (outdoor) thinking I could use it to capture my son's soccer practice. But that doesn't have the camera account option under advanced.
I love the price point of these devices but the functionality is all over the place.
If anyone knows a good outdoor camera, preferably with solar panel, that is cheap and has an rtsp stream, please let me know.
[+] [-] kennedn|6 months ago|reply
[+] [-] BLKNSLVR|6 months ago|reply
RTC setup section:
Main section: Where:* <Camera RTC name> is just any old short name you want to assign to the camera.
* <Camera name> is the main name for the camera that will be shown in the frigate UI
* <local camera account password> is something set individually on each camera (settings > Advanced > Camera Account, set it to On and setup username/password > Account Information)
* <Tapo cloud password> is the password setup for the Tapo app (I'm not sure how necessary this is, since there's nowhere that the username is specified... this is the only bit I'm fuzzy on)
This is the basics that works for me for the Tapo cameras. There are a boatload of other settings specific to Frigate (but not specific to Tapo cameras).
This is nowhere near as cool hack as the article, however.
[+] [-] kennedn|6 months ago|reply
[+] [-] xrd|6 months ago|reply
[+] [-] marcosscriven|6 months ago|reply
[+] [-] otikik|6 months ago|reply
I wish there was a repository of "appliances that don't try to shove an app and a subscription down your throat"
[+] [-] h4ch1|6 months ago|reply
Not aware of a list or something, but before buying any appliance I try searching if it's "jailbreak-able".
For example I'll search if the router I want to purchase has guides to install openWRT on it, how hard it is to break out of the vendor software loop.
Recently even my Aircon had a mandatory app that it required to even finish installation. I got so pissed I dumped the firmware and reverse engineered the protocol enough to figure out how to set fan speed, temperature and mode. Sitting in the sweltering New Delhi heat really expedited the process.
[+] [-] HexPhantom|6 months ago|reply