Researcher warns the highly-rated Kasa family of security cameras have bugs that gives hackers access to private video feeds and settings.

A popular consumer-grade security camera made by TP-Link and sold under the Kasa brand has bevy of bugs that open the hardware to remote attacks, such as giving hackers access to private video feeds and the ability to change device settings.

The researcher Jason Kent, with Cequence Security, reported the flaws to TP-Link on March 2. On Thursday, the researcher publicly disclosed the bugs and noted that TP-Link has not patched one of the vulnerabilities – an account takeover (ATO) bug that opens the door to credential stuffing attacks.

The most troubling bug Kent found was an insecure implementation of an SSL certificate on the Kasa mobile application. That vulnerability left the door open to man-in-the-middle attacks. The flaw was patched on June 11. It’s unclear if the patch was pushed to devices or if consumers will need to download the patch themselves.

In a blog post, publicly disclosing the TP-Link Kasa bugs, Kent describes the risks associated with the Kasa security cameras.

“I looked at the application request methods and given the potential sensitivity of the data in the system I wanted to ensure the data transfer was encrypted,” Kent wrote in a blog Thursday.

#account takeover #ato #security