Name of the Vulnerable Software and Affected Versions:

TP-Link Tapo C200 camera version 1.1.22 Build 220725

Description:

The issue is related to the implementation of the AES encryption algorithm in the TP-Link Tapo C200 camera, which involves the reuse of the AES Key-IV pair across all cameras. This flaw can be exploited by an attacker with physical access to a camera, allowing them to extract and decrypt sensitive data, including the Wifi password and the TP-LINK account credential of the victim.

Recommendations:

For version 1.1.22 Build 220725, consider restricting physical access to the camera until a patch is available.

As a temporary workaround, avoid using the camera's Wifi functionality and TP-LINK account features until the issue is resolved.

At the moment, there is no information about a newer version that contains a fix for this vulnerability.