Wanted to spy on my dog, ended up spying on TP-Link

Original Article ↗ Hacker News Discussion ↗

Hardcoded Password & Camera Security

  • Thread centers on TP-Link/Tapo cameras using a hardcoded admin password embedded in the app, revealed via reverse engineering and also documented in a prior CVE.
  • Some argue it’s “no big deal” because it’s a default only used during onboarding and gets replaced afterward.
  • Others call it “Not Good”: an unprovisioned camera on the network is a sitting duck until set up, and a factory reset can silently restore the default.
  • Proposed better designs: per-device secrets printed on labels or encoded as QR codes; proof‑of‑presence pairing; or forcing users to create a password on first boot.
  • Counterarguments: per-device personalization adds manufacturing complexity and potential support nightmares if labels/keys get mismatched; small vendors may struggle, but TP-Link is large enough to do it.

Smart Home Ecosystem & Home Assistant

  • Multiple comments lament smart home fragmentation: many apps, cloud lock‑in, weak standards adoption (Matter/Thread), and vendor “party trick” features.
  • Home Assistant is praised for unifying disparate hardware and providing local control; community-written integrations (including cloud APIs) are highlighted as a major strength.
  • Pain points remain: vendors deliberately breaking local/HA integrations (e.g., garage doors), and dependence on Google/Amazon for voice.
  • There’s strong desire for an HA-native, privacy‑respecting smart speaker with local LLM-based intent handling; some point to existing HA voice projects and cheap offline ASR modules, but note DIY time cost.

Android Reverse Engineering, Frida & Attestation

  • Discussion on whether Frida/mitmproxy-style RE will remain viable after stricter Android signing and attestation changes.
  • Consensus: technically still possible (rooted devices, emulators, self-signed dev builds), but much harder for production-like, attested environments.
  • Device attestation is seen as both:
    • A security/fraud-mitigation tool (especially for banking apps and check deposit).
    • A mechanism hostile to user freedom, modding, and alternative OSes.
  • Debate over whether Android is still “meaningfully open,” and whether it’s reasonable to expect to do both serious banking and heavy RE on the same phone.

Practical Tapo / NVR Setup Notes

  • Several users share Frigate + go2rtc configurations for Tapo cameras, clarifying the use of rtsp:// vs proprietary tapo:// (required for two-way audio).
  • Confusion about which Tapo models support RTSP; some outdoor models lack the “camera account” option but can still be used via go2rtc’s Tapo integration.
  • Complaints about missing snapshot URLs and reliance on proprietary APIs; some recommend firmware replacements like Thingino or buying cameras that offer RTSP out of the box.

Routers, IoT, and Broader Security Concerns

  • Many comments zoom out to router/IoT security: ISP-provided routers as opaque, rarely-updated boxes with known CVEs and frequent license violations.
  • Suggestions range from OpenWRT/opnSense/pfSense to custom Linux routers; there’s disagreement about usability vs. control.
  • Some argue end-to-end encryption reduces the risk from compromised routers; others note local-network attack surfaces (IoT devices, SMB, UPnP) still make router security critical.
  • General sentiment: most users never touch firmware or passwords; “if the internet works, that’s enough,” which vendors and ISPs optimize for.