Tapo app security breach?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Tapo app security breach?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Tapo app security breach?
Tapo app security breach?
2024-02-27 05:01:17 - last edited 2024-02-29 06:48:24
Model: Tapo C200  
Hardware Version: V1
Firmware Version: 1.3.11

This post has nothing to do with my camera/s, but it is the only way I can find to bring this issue up.

I opened the Tapo app on my phone today and instead of the normal screen it opened showing what looked like a partially transparent full screen overlay showing a live view of somebody elses' lounge, which I have never seen before.

 

Under the overlay, I could make out the normal opening screen, but I was so taken back by it I spoke exclaimed "what the heck!". Moments later, I heard my own words repeated back to me, but not from my cameras because I was too far away from them for this to be possible, the repeat came through my phone speakers.

 

Now before anyone can claim I was picking up my neighbours Wifi or something similar, that is physically impossible because my closest neighbour is more then 141 Metres away and there is an earth hill between us. The next closest one is 500m away and behind a thick grove of trees, so we essentially have fully isolated WiFi.

 

I found I could tap the name of one of my cameras through this random overlay and as soon as I did that, the overlay disappeared and the app returned to normal.

 

Now I do not use any of the web services to upload footage from my cameras, I use the SD-Card exclusively because we have a monthly limit and I don't want to consume my data allowance.

 

Has anyone ever seen or reported anything like that before?   How was it possible a live view of somebodys lounge who I do not know, have never seen and will lilkely never know to be displaying on my Tapo app when I only have my own cameras setup? 

 

Surely this has to be a serious security flaw that needs to be escalated to the highest point for investigation and immediate resolution.



 

  1      
  1      
#1
Options
3 Reply
Re:Tapo app security breach?
2024-02-27 11:50:45

  @Mr_Pav 

Hi,
Thank you very much for posting on the TP-Link Community, we greatly appreciate and highly value the case you have raised in your thread, and for similar cases, we recommend contacting our support team promptly with the following information to receive swift assistance:
1. Please specify the date and time when you experienced the issue while viewing the camera on your Tapo app.
2. If available, kindly provide any video recordings that show the reported case.
3. Please provide the MAC address of your Tapo camera or your TP-Link ID (the email address used to log in to the Tapo app).
4. Include a detailed description of the problem (or the link to the thread).
Best Regards

  1  
  1  
#2
Options
Re:Tapo app security breach?
2024-03-06 22:22:47 - last edited 2024-03-06 22:24:14

UPDATE

Thank you for the link to support, I somehow missed it so my search-fu was lacking that day.

 

I've had some extensive conversations with TP-Link Head Engineer and after exhausting all the possibilities, it appears there was a phenomenon that happened once and once only on my phone during the Tapo app startup sequence. Since this post, TP Link have done some extensive investigations on their servers and in particular, connections with my devices and no trace logs or anomalies could be found. I was assured the security model and that it had not been compromised. I'm satisfied with the outcome, some additional reporting tools were provided that I can use in the future if any such thing should happen again so I'll go with that.

Nevertheless, I still had an incident that caused me no shortage of alarm at the time, therefore I thought it prudent to at least provide some details of the phemonenon I experienced by way of 2 images. One image shows my normal Tapo app startup page which dispolays the contents at "My Home --> Favorites",  and the second shows a mock-up of the phenomenon I experienced.

 

My resultant mockup is taken from 2 phone screenshots and using Graphics editing apps on my Laptop, I overlayed one snapshot on top of the other, masked and shaded some areas then set the opacity of the top layer to 82%. This most accurately rendered the equivalent look of my phones screen at the time. Note, I restarted my phone 2 days prior, after receiving a substantial security update from the manufacturers.

 

As this was the first time I opened Tapo since the restart, the Tapo Splash displayed as expected, however, on this occasion, the Tapo splash did not fade within the normal half second spin up time. Instead of the normal My Home --> Favorites page being displayed, this random footage or static image, I can not tell what, was displayed in the exact location as would a normal review of recorded content through the standard Tapo playback.

 

Through what I can only call a frozen splash, I could make out the faint outlines of 2 camera icons along with the names I'd given them. As I looked more intently at the screen I found even fainter outlines of the standard Tapo app white buttons for the 2 cameras in my favorites. Deciding this must be the normal Tapo My Home --> Favorites page in the backgroiund I tried tapped one of the camera icons, the anomaly ceased immediately and the Tapo app opened that cameras live view.
 
I post the images in the hope that if this type of thing happens to any other users who happen to be registered here, they might stumble upon this thread and find a point of reference that is similar to, or matches their own experience.
 
EDIT - I tried to upload 2 images, seems only 1 can be displayed so using only the mockup.

 

 

 

 

 

  0  
  0  
#3
Options
Re:Tapo app security breach?
2024-03-07 08:44:31

  @Mr_Pav 

Hi,
Thank you very much for your cooperation that work with our support engineer as well as providing detailed updates about the issue. We appreciate your diligence in keeping us informed. 

We're glad to hear that the product does not have the concerns you initially raised. Ensuring the safety and addressing any usage-related issues of our products is of utmost importance to us. 

If you have any further questions or concerns, we recommend reaching out to our technical support team at your earliest convenience. They will be able to assist you and provide the necessary guidance promptly.

Thank you again for your update, and we remain committed to your satisfaction and product safety.

Please let us know if there's anything else we can assist you with.
Best Regards

  0  
  0  
#4
Options