❗❗❗Invalid cloud password on firmware build 230921 and higher

[JurajNyiri]

Thread for invalid cloud password on firmware build 230921 and higher

There has been reports of users on firmwares 1.3.8, and newer, or on some cameras other firmwares with build 230921 and newer of integration stopping to work. This shows as cloud password not being accepted.

I have been in touch with tplink regarding a security vulnerability I reported in the past and this is most probably a fix for it.

This currently only affects some users, not all and most probably requires camera to be connected to the internet in order to receive the update for authorization, given that it affects older firmwares as well, or possibly an interaction with the official app.

I have a solution and I am waiting for a permission for integration to connect to cloud.

Users reported this problem in numerous issues, this issue will serve for tracking the progress on the fix and group all the conversation under one issue.

Workarounds

If you need to use the camera with this integration until this is resolved you can either:

1. If your camera still works with integration: Block internet access of camera and stop using the official phone app temporarily if you are using firmware 1.3.8 (or build 230921 and higher)
2. If your camera no longer works with integration: Use older firmware than 1.3.8 (or build 230921) and factory reset camera

This issue has been locked due to too many users ignoring the request to read first before posting duplicate and off topic content after more than 3 warnings.

This post will stay uptodate with the most recent updates below.

2024-04-11:

First report of the issue at #549

2024-04-12:

Second report of the issue at #550 along with more users confirming the issue.

2024-04-13:

This thread has been created.

From my side, I have unblocked one of my camera on the latest firmware to reach the internet, so that hopefully I can get this update soon and work on a fix. I hope TPLink will provide detailed instructions on what has been changed so that I can work on a fix.

2024-04-19:

Added instructions about build number as some cameras have different versioning of firmwares.

I reached out to TP-Link after 7 days for any updates.

2024-04-23:

@reypm found a solution how to workaround this issue without downgrading the firmware:

1. Factory reset the camera (it remains with 1.3.11 Build 231117 firmware since I could not find a way to downgrade the firmware)
2. Entirely block Internet access for the camera
3. Reinstalled the component (this component)
4. Re-added the camera (by reinstalling the component it removes the old config)

TPLink is working on providing me with the solution, got a reply today that I need to wait a bit more.

2024-05-08:

I have some very good news and a little bit of concerning news.

Good news:

1. Today I was finally affected with this on one of my cameras which allowed me to conduct research and I spent my whole day working on that.
2. I now know how to solve this, I just need to figure out some of the remaining details and implement the changes which should not take more than a few weekends of active work. There is a lot of work involved but it can be done and I now know roughly how.

Now the concerning news:

1. Integration will need to interact with tplink cloud to get the new password. This is possibly a one time job, but I do not know yet, it might expire and get a new password if it no longer works. I will need to find a way to detect this as well but thats just a little detail.
2. Due to integration's need to interact with TPLink cloud I have reached out to TPLink for their permission. If they refuse, there is no way how to implement this unless someone else makes a script to extract the pwd AND the pwd does not change, ever. Which would also make the set up harder for everyone.

2024-05-15:

See #551 (comment)

2024-05-18:

See #551 (comment)

2024-05-29:

See #551 (comment)

2024-06-25:

See #551 (comment)

2024-07-03:

See #551 (comment)

[reypm]

I am using the iOS app and everything is working fine. My camera is a Tapo C110 with Firmware Version 1.3.11 Build 231117 Rel. 47346n(5553) and as of today is not working.

// image removed.

[JurajNyiri]

@reypm have you opened and used the app just before it stopped working or only after?

[reypm]

@JurajNyiri Yes, everything is working as expected and nothing has changed on my end with the app, I do keep my iOS apps up to date most of the time, not sure when the Tapo app did update to the latest

[wavemop]

Operating System: Android
App version: 3.2.976
Camera: C200 (Hardware-Version 3.0)
Firmware version: 1.3.13

pytapo output is: "Exception: Invalid authentication data"

I'm really hoping tp-link is calling you soon ;)

[reypm]

@JurajNyiri I am using this other custom component repository as well and today I noticed it disconnected some of my Tapo devices, upon research some people reported issues in their issues and the problem was fixed with version 3.1.0. I updated the component today and is working fine, I am using the very same creds I am using with your component, you can maybe take something from there or just take a look

Disclaimer: I am not advertising the other repository at all just providing some help to get the issue fixed ASAP

[JurajNyiri]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

[scetu]

I have 3x C200 with 1.3.11 sice December (#472 (comment)) with blocked DNS (only NTP is enabled - otherwise they are in zombie state) and so far no major issues.

[reypm]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

[JurajNyiri]

Blocking the access after having the issue will not help — and I am not sure if it helps at all even when not having issue as the update might be pushed through the app. In order to use the camera you will either need to wait or follow steps in main post in this issue - downgrade firmware.

[jjvelar]

Hi @JurajNyiri
I have 1.3.9 firmware but no issues with integration version 5.4.17.
Should I then update the integration to version 5.4.17PSA?
Thanks,

José

[JurajNyiri]

5.4.17PSA Has nothing new. It’s a way how to get the information to the end users and help them prevent having issues.
You will soon be affected most probably unless it is fixed by then.

[mbentancour]

Thanks for pushing the PSA as an "update". I would have missed this if it wasn't for it. I block internet access to all my cameras but from time to time I update the firmware just to keep them up-to-date. It would be a lot of work to factory reset them just to get them to work again.

I see you have the "help wanted" tag, I have a C200 that I can use for testing, and I might be able to do some python debugging if that helps.

[scetu]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

[jsapede]

hello,
my cameras are C210 1.3.13 but fully blocked internet since some weeks. Still working at this time.
is there a documented procedure and firmware ressource for downgrade ?

[jakwarrior]

Thanks for this "update", I would have missed the issue without it. I'm using a Tapo C200 with firmware 1.3.9 Build 231019 according to the integration. I've just blocked updates with AdGuard filters, and I haven't launched the Android app. So far, everything is still working perfectly.

[petretiandrea]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

Hi, actually I'm not calling the "cloud", so no "cloud password". My integration is completely based on local communication.
My library is using KLAP protocol

[Write]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

Just to be entierly precise : this doesn't block their internet access per se, if the firmware contains direct IP address Pi-Hole won't be able to block it. Hence, why I'd try to block their internet access at the router level. Most consumer router from ISP comes with a "child protection mode" to block internet from specific devices at specific time, which is what I would do if I didn't have a "true" configurable router.

However, this would also block NTP (Server to which the device request to, to get current time and date) requests too.

That's the solution I use at my mom's house, and it works perfectly fine, with an automation to force sync date / time from HA to Tapo devices.

alias: "camera : Sync Tapo Time"
description: ""
trigger:
  - platform: time_pattern
    minutes: /5
condition: []
action:
  - service: button.press
    data: {}
    target:
      entity_id:
        - button.tapo_salon_sync_time
        - button.tapo_entree_sync_time
mode: single

[PeteDenmark]

Mine are still working (well - as "well" as they always have).

Have now blocked their internet access in my router, just because there is no need for them to have internet access.

Cams: Tapo C200 (two of them)
App version: 3.2.976
Firmware: 1.3.13 Build 240327 Rel.63336n(4555)
Hardware: 3.0
Android
Haos
WebRTC for streaming

[sgurgul]

I believe accessing (or not) cameras from mobile Tapo application might explain why some cameras still operates well.

I manage 3 locations with different set of users, all having same Tapo C100/C110 cameras, with same firmware versions (1.3.9 & 1.3.11, depending on the camera model).

Two locations are "broken" since last few days - HA claiming authorization errors. 3rd one still works smoothly.

The difference is that in two broken locations users use Android Tapo application to monitor cameras. 3rd location is only integrated with HA. I made some experiments in this 3rd location - resetting camera, resetting HA, even removing and adding integration in HA - everything still works smoothly.

All locations & cameras has an Internet access so this factor does not seems to explain the phenomenon in my case.

[Ector73]

I sent a request for an update on Monday 27.05.2014 after 12 days of no additional updates. The last update I have is from 15.05.2014 that they are deciding.

2024? ......otherwise I'll start to worry :-)
In any case, I downgraded the firmware and everything works perfectly on my two c200...waiting for..

[JurajNyiri]

I got another update from TPLink. (Deleting above recent update since it has less / duplicate info to keep this thread clean).

TPLink is preparing a new cloud API endpoint for this integration in order to get the cloud token without the need to go through their cloud exactly like the app and my currently prepared solution.

They estimate this will be done by end of June but they are not certain and the deadline might change.

This is good and bad news for us.

It means we will have to wait longer for a solution and all the work (weeks) I spent working on it is now not going to be able to be used and released for everyone here, which makes me sad, but I learned a lot in the process.

However, this is also very good in my opinion. It means, they are indeed trying to keep this integration working well. Which is in my opinion very good news for open source and TP-Link products and their customers. To me, it shows their intent to work with open source projects and open home.
It also means, whatever solution they prepare will be official, will not break unintentionally and will be above board, which makes this integration more stable in the future.

What to do now?

For the affected users, at this point your option is to downgrade the firmware if you wish to use this integration in the meantime.

If you are not affected with this issue yet, and are running the recent firmware higher than build 230921 block internet access of the camera now.

Next steps

Once I receive an update from TPLink I will work on integrating it and releasing it ASAP. If I do not get an update by July 1st, I will send a reminder.

[bucker00]

Oh man, I feel for ya - appreciate all your hard work on this!

[MLammerding]

Thx a lot for your work!👍🏻🚀
Is there a chance to update the list of the old firmwares? The latest list is 7 month old now
Thx in advance!✌🏻

[JurajNyiri]

@MLammerding these are not tracked or maintained by me. I do not know where and how the author got them. In any case, you do not want firmware newer than 7 months for this integration. You need build before 230921.

[fredrikhaggbom]

Thanks for your work @JurajNyiri! Much appreciated, and I think an official interface from TP-link is best in the long run.

Not sure this has been mentioned before (at least it wasn't clear to me), but the downgrade process was very easy and I didn't need to factory reset the camera (which means I didn't have to reconfigure anything, all settings was preserved after the downgrade). The process I did (with my two C320WS cameras):

1. Downgraded according the process described above.
2. Rebooted camera. All settings was still there and I was able to connect to it in the Tapo-app as before.
3. Reauthorised the camera in this integration in Home-assistant. Nothing else was changed (same entity names and so on).
4. Disabled the auto-update feature for the cameras in the Tapo-app to prevent it from automatically update the cameras firmware.

[DaveAuld]

TIP:
While we wait for the solution, if you don't want to go through the hassle of downgrading all the cameras, you can always use the ONVIF integration then in your dashboards, comment out your existing Tapo entities and replace with the ONVIF equivalent
The camera username and password remains the same when configuring the ONVIF devices and the port is 2020.
I have just switched over 6 cameras doing this, and will at least give me the feeds from the cameras for the time being.

[JurajNyiri]

Unfortunately I was forced to lock this due to too many off topic and duplicate posts sending notifications out to everyone watching this issue. This was after more than 3 warnings were sent previously and users ignoring these.

Every information you need regarding this issue is in the main post at the top.

If you have anything new and valuable to share feel free to email me.

[JurajNyiri]

I saw an increase of messages on Discord talking about inactivity on this issue.

If you are wondering what is new, I am waiting for TPLink to send me instructions about endpoint they are developing specifically for this and this integration that should be done around end of June the last I heard from them.

See this message for more details and how to get your camera working in the meantime.

[JurajNyiri]

I have sent an email to TPLink asking for an update on the new API endpoint they are developing.