Wanted to spy on my dog, ended up spying on TP-Link

I recently bought a cheap Tapo indoor camera to see what my dog gets up to when I am out of the house.

What actually followed? I ended up reverse-engineering onboarding flows, decompiling an APK, MITMing TLS sessions, and writing cryptographic scripts.

My main motivation for this project really stemmed from the fact that the camera annoyed me from day one. Setting the camera up in frigate was quite painful, no one really seemed to know how these cameras worked online.

SIDENOTE: If you want 2 way audio to work in frigate you must use the tapo:// go2rtc configuration for your main stream instead of the usual rtsp:// . TP-Link are lazy and only implement 2 way audio on their own proprietary API.

One undocumented behavior that tripped me up was that the device’s API is supposed to accept credentials admin : after onboarding. However after banging my head against a wall for a few hours I later discovered that if you change your cloud password after onboarding, paired devices don’t get the memo 🙂.

This implied a few things to me that started the cogs turning:

There must be a call made during on-boarding that syncs the device password with the cloud password

The device must either allow unauthenticated calls before this step or have some sort of default password.

So considering my onboarding woes and the fact that I was starting to recoil every time the tapo app tried to jam a “Tapo Care” subscription down my throat, a cloudless onboarding solution for the device was beginning to look more and more desirable.

... continue reading