I agree that would be nice, but it also doesn't sound all that practical for a small vendor.

I used to sell a home networking device,[0] and I wouldn't do what you're describing. If there were an issue where the labels calculate the wrong password or the manufacturer screws up which device gets which label, you don't find out until months later when they're in customer hands and they start complaining, and now you have to unwind your manufacturing and fulfillment pipeline to get back all the devices you've shipped.

All that to protect against what attack? One where there's malicious software on the user's network that changes the device password before the user can? In that case, the user would just not use the camera because they can't access the feed.

[0] https://mtlynch.io/i-sold-tinypilot/

▲

bri3d 20 hours ago | parent | next [-]

Ha! I actually use TinyPilot all the time, nice!

> I agree that would be nice, but it also doesn't sound all that practical for a small vendor.

Personalizing / customizing per device always introduces a huge amount of complexity (and thus cost). However, this is TP-Link we're talking about, who definitely have the ability to personalize credentials at scale on other product lines.

And again, to be clear, I'm not trying to argue that the current way is some horrible disaster from TP-Link, just advocating for a better solution where possible. I think the current system reads as fine, honestly, it sounds like typical cobbled together hardware vendor junk that probably has some huge amount of "real" vulnerability in it too, but this particular bit of the architecture doesn't offend me badly.

> now you have to unwind your manufacturing and fulfillment pipeline to get back all the devices you've shipped.

This can be avoided with some other type of proof-of-presence side channel which doesn't rely on manufacturing personalization - for example, a physical side-channel like "hold button to enable some PKI-based backup pairing or firmware update mode." For a camera, there should probably be an option to make this go away once provisioning is successful, since you don't want an attacker performing an evil maid attack on the device, but for pre-provisioning, it's a good option.

	▲	stephen_g 8 hours ago \| parent [-]
		> Personalizing / customizing per device always introduces a huge amount of complexity (and thus cost) For a hardware product mass produced like this, they should already have a custom label that has the unique serial number on it which is also programmed into each device, so they should already have the infrastructure to do that (potentially as part of automated board testing/flashing). Adding a randomly generated password is hardly more work once you have the ability to do that.

▲

chrisweekly 19 hours ago | parent | prev | next [-]

Slight tangent: I just read your Tiny Pilot blog post, which was interesting and worthwhile. Thanks for sharing that!

▲

kelnos 21 hours ago | parent | prev [-]

TP-Link is far from being a small vendor, though.

▲

mtlynch 21 hours ago | parent | next [-]

Ah, I see. I thought OP used TP-Link for their router. I missed that Tapo (the camera manufacturer) is a subsidiary of TP-Link.

▲

creeble 20 hours ago | parent | prev [-]

I think he has it backwards: Easy for a small vendor, very hard for a large one.

	▲	stephen_g 8 hours ago \| parent [-]
		For a large manufacturer, it can be flashed onto the device automatically by a machine as part of the production line. That's not easy to set up, but basically something they already need to have set up (you don't want to have humans have to plug in boards to flash firmware and load serial numbers, etc. on to every unit).