TP-Link Tapo C210 Password Hash Exposure Vulnerability Allowing Brute Force Attacks
Vulnerability
A vulnerability in the TP-Link Tapo C210 camera, version 1.8, has been identified. This issue arises from an unauthenticated API response in the Tapo app for iOS and Android, which exposes password hashes. Attackers on the local network can exploit this vulnerability to brute-force the password and gain administrative access to the camera. The vulnerability can be mitigated by updating the Tapo app on mobile devices, while the device firmware remains unchanged.
Impact
Exploitation of this vulnerability allows for the recovery of the device's authentication password through offline brute-force methods. Once obtained, this password grants full administrative access to the affected camera via the local network.
Remediation
Users are advised to download and update to the latest version of the Tapo app. The updated version is available on the Apple App Store and Google Play Store.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.