This is so bad that it must be intentional, right? Even though these are dirt cheap, they couldn't come up with $100,000 to check for run-of-the-mill vulnerabilities? There must be many millions sold. Quite handy for some intel agencies.
I assume any Wi-Fi camera under $150 has basically the same problems. I guess the only way to run a security camera where you don't have Ethernet is to use a non-proprietary Wi-Fi <-> 1000BASE-T adapter. Probably only something homebuilt based on a single board computer and running basically stock Linux/BSD meets that requirement.
> This is so bad that it must be intentional, right? Even though these are dirt cheap, they couldn't come up with $100,000 to check for run-of-the-mill vulnerabilities?
The camera sells for $17.99 on their website right now.
Subtract out the cost of the hardware, the box, warehousing, transit to the warehouse, assembly, testing, returns, lost shipments, warranty replacements, support staff, and everything else, then imagine how much is left over for profit. Let's be very optimistic and say $5 per unit.
That $5 per unit profit would mean an additional $100,000 invested in software development would be like taking 20,000 units of this camera and lighting them on fire. Or they could not do that and improve their bottom line numbers by $100,000.
TP-Link has a huge lineup of products and is constantly introducing new things. Multiply that $100,000 across the probably 100+ products on their websites and it becomes tens of millions of dollars per year.
The only way these ultra-cheap products are getting shipped at these prices is by doing the absolute bare minimum of software development. They take a reference design from the chip vendor, have 1 or 2 low wage engineers change things in the reference codebase until it appears to work, then they ship it.
Both the parent and you can be right in this case.
The parent rightly suggested that there is the obvious intention to exploit these devices:
> This is so bad that it must be intentional, right? Even though these are dirt cheap, they couldn't come up with $100,000 to check for run-of-the-mill vulnerabilities?
You explained that there could be an economic reason for the appalling absence of security:
> The only way these ultra-cheap products are getting shipped at these prices is by doing the absolute bare minimum of software development.
But the parent's point is more convincing, based on the observable evidence and the very clear patterns of state-sponsored exploitation.
The vendors could set default passwords to be robust. The vendors could configure defaults to block upstream access. But maybe the vendors in this particular supply chain are more like the purveyors of shovels in a Gold Rush.
A less-charitable metaphor is possible where state-sponsored motives are unambiguously known.
Is there a table of supported hardware, that contains info about the USB-connection (or ethernet) on these devices. Like, which have data-lines connected, can the device electrically do host and device mode? Can I use a POE2USBC adapter, that presents itself as a USB-network device to the camera?
Ability to filter on those columns would be great.
Is thingino using the Ingenic linux kernel 3.ancient SDK version, or do they have/use something newer?
It's been long known many older TP-Link IoT devices doesn't require any authentication to connect, as my Kasa HS300 strips. Later models requires the account credential [1], but I'm not surprised that they still left something wide open (e.g., WiFi config endpoint for provisioning). I tend to believe this is just poor software engineering (Hanlon's razor).
My initial read of proximity being sufficient to exploit 3 is incorrect, so yeah as long as you control the Wi-Fi network sufficiently then things should be fine.
Scott Locklin is one of my favorite reads, in occasional doses though. Kind of unhinged-seeming but always some perspective that seems fresh.
He's like Casey Handmer turned up to 11, and throw in a use of the word "retarded" in pretty much every post which surely is some repellent just to make certain types of people go away.
Actually I'm not sure I really get anything out of reading either of them but they provide some enjoyment and glimpse of a possible future.
I find these numbers to be way outside of what I have heard of. I would be surprised if you could give an example that comes with even 1.5x capacity. (4TB capacity, 6TB actual flash on chips, for example.)
They used to release new ec2 sizes at the same price as the previous gen which made upgrading a no brainer. That stopped with m7 and doesn’t seem to be coming back.
Not sure what Amazon plans to do when the m6 hardware starts wearing out.
Search Amazon for "pfsense mini pc". (smile as you think about how this triggers that one pfsense guy!) Intel N100 or N150 processor, passive cooling, typically 5 1000GBASE-T or better ports, RAM and SSD included. Should be able to get one for ~$200.
reply