CVE-2023-27126

Vulnerability

The TP-Link TAPO C200 camera V3 (EU) running firmware version 1.1.22 Build 220725 uses a static AES Key-IV pair for encrypting sensitive data such as WiFi passwords and TP-Link account credentials. This key material is identical across all units, meaning that once extracted from one device, it can decrypt data from any other camera of the same model and firmware version [1].

Exploitation

An attacker must obtain physical access to the camera. The attacker can disassemble the device, access the printed circuit board, and dump the flash memory using standard hardware debugging tools (e.g., JTAG or UART). From the dumped firmware, the fixed AES Key-IV can be extracted. With this key, the attacker can decrypt the stored encrypted configuration, revealing the victim's WiFi password and TP-Link account credential [1].

Impact

Successful exploitation allows the attacker to recover the WiFi network password and the TP-Link account credentials associated with the camera. The WiFi credentials could be used to gain unauthorized access to the victim's wireless network. The TP-Link account credentials could enable access to other TP-Link/Tapo devices and services linked to the account, potentially compromising the victim's smart home ecosystem [1].

Mitigation

As of the publication date (2023-06-06), no firmware update addressing this vulnerability has been disclosed in the available references. Users are advised to secure physical access to the camera to prevent tampering. If possible, consider placing the camera in a location where physical access is restricted and monitor for any suspicious activity. TP-Link may release a firmware fix in the future; users should regularly check the official TP-Link support site for updates [1].