Summary Following our hacking of Xiaomi home security cameras, we have decided to look at another market dominating vendor in our region, TP-LINK. In this post, we describe the major findings from our review of new generation TAPO security cameras: a pre-auth RCE stack BOF that can be exploited not only from the LAN but also from the WAN as a browser exploit, a severe authentication bypass vulnerability that allows the exploitation of 10+ post-auth and RCE-able vulnerabilities that we also identified in the HTTP and ONVIF server implementations (all patched in TP-Link’s April advisories), including a heap BOF that we also fully exploited for RCE, another authentication bypass vulnerability similar to the previous; this vulnerability remains unpatched today, with an advisory promised for April 20th but it did not happen a cryptographic design weakness that can enable a full cloud account compromise just from network access to one TP-LINK device of the cloud account; this vulnerability also remains unpatched today, with a patch promised for May All told, in the worst case, our findings would enable an attacker to go from a victim visiting a malicious link via browser from within the same LAN as their TP-LINK smart camera, to full takeover of every TP-LINK smart device connected to the cloud account of the user.

In this blogpost, the newest full-time member of our research team describes his internship project. If you would also like to try your hand at our hacking tools and techniques, don’t hesitate to check out our training offerings! Currently available: https://www.offensivecon.org/trainings/2026/exploiting-smartphones-through-baseband.html Last summer, I had an opportunity to join TASZK Security Labs for a summer internship. The target we selected for this 2 months project was to hack Xiaomi Security Cameras, specifically a Xiaomi C400 Smart Camera, a very popular device in our market that we also happened to already have at hand. We defined two end goals: create an RCE exploit via any wireless/LAN interface use the exploit to create a full “cloud jailbreak” The motivation for the latter was that we knew that these devices are heavily dependent for their operation on the Xiaomi Smartphone Application and Xiaomi Cloud Server.