Updated with comments from TP-Link

One or more security cameras manufactured and sold by TP-Link under its Kasa smart home product line could be easily hacked due to several serious vulnerabilities in the Kasa mobile app, a researcher says in a new report

According to Cequence Security researcher Jason Kent, hackers can gain remote access to images, video, and settings by exploiting security flaws in the app for TP-Link's Kasa home security camera series

The same app controls Kasa smart plugs, smart light bulbs, and smart wall switches It is unclear if the same app flaw applies to these products

Tom's Guide has reached out to TP-Link for comment and will update this article as soon as we receive a response

[UPDATE: TP-Link announced that all problems had been fixed by July 17]

Kent discovered the flaw when he purchased a Kasa camera and noticed a potential security issue

"Upon installation, I noticed that the mobile application was connecting directly to the camera via the network As a security expert, this bothered me

Upon further investigation, he found that the camera had an improperly protected Secure Sockets Layer (SSL) certificate, making it vulnerable to man-in-the-middle attacks

He noted that because SSL certificates are not secured, fraudsters can "easily open them and see transactions"

SSL pinning prevents man-in-the-middle attacks and these certificates from being spoofed

"We also found that authentication is simply a Base64-encoded username:password passed under SSL Security best practices dictate that applications should be hashed under SSL, not encoded, reaffirming the value of pinning certificates," said Kent

Base64 is not encryption, it is simply a way to encode binary data in a compact text base It is not secure at all

For example, "password" in binary would be "011110000000000000000000001111110111001001100100", which is quite long and unwieldy In Base64, however, "password" becomes the more manageable "cGFzc3dvcmQ=" It may appear to be encrypted, but in fact it is not

Kent warned that the sloppy account authentication protocols in the Kasa app, which he reported to TP-Link in March, are still unpatched and allow a malicious person to easily launch a credential stuffing attack as part of an account takeover

That's because the Kasa mobile app tells you when you enter a non-existent username or wrong password, allowing attackers to quickly cross off items on the list of possible usernames and passwords

Kent explains: "As most people on this platform do, I used my email address as my username, so with a simple set of requests, I can enumerate user accounts on the platform As someone who works to fight and contain automated cyber attacks (bots), I know that redundant API error messages in authentication endpoints can lead to account takeover (ATO) attacks"

By exploiting these flaws, attackers can launch credential stuffing attacks He says: "Currently, an attacker can enumerate usernames based on email lists Once a known good username list is established, a password attack can be launched [ATOs happen more easily when the attacker can easily figure out what a good username and matching password are In this case, a Credential Stuffing attack would be used to guess the password, otherwise the attacker would have to enter a good username and use a password reset mechanism to take over the account "

It is better for security to leave the app logged out without giving a reason if the wrong credentials are provided

Despite contacting the manufacturer in March, some flaws remain He says: "However, as of this writing, they have not fixed the information leak on their platform and an ATO with credential stuffing is still a possibility Their API tells attackers how to be more efficient and helps them find valid username/password combinations"

To avoid such attacks, users are encouraged to set unique passwords and ensure that their devices are using the latest software