Vulnerability Assessment and Penetration Testing on IP cameras

IP cameras have always been part of the Internet of Things (IoT) and are among the most widely used devices in both home and professional environments. Unfortunately, the vulnerabilities of IP cameras have attracted malicious activities. For example, in 2016, a massive attack resulted in thousands of cameras and IoT devices being breached and used to create a botnet. Given this history and the extremely sensitive nature of the data these devices have access to, it is natural to question what security measures are in place today. In this paper, a vulnerability assessment and penetration testing is performed on a specific model of IP camera, the TP-Link Tapo C200. More in detail, our findings show that the IP camera in question suffers from three vulnerabilities such as: denial of service, video eavesdropping and, finally, a new type of attack called "Motion Oracle". Experiments are not limited to the offensive part but also propose countermeasures for the camera in question and for all those that may suffer from the same vulnerabilities. The countermeasure is based on the use of another IoT device, a Raspberry Pi.