❗❗❗Invalid cloud password on firmware build 230921 and higher

[JurajNyiri]

Thread for invalid cloud password on firmware build 230921 and higher

Notice: This issue has been locked for discussion, and will be used to post updates only. Discuss or ask a question.

There has been reports of users on firmwares 1.3.8, and newer, or on some cameras other firmwares with build 230921 and newer of integration stopping to work. This shows as cloud password not being accepted.

I have been in touch with tplink regarding a security vulnerability I reported in the past and this is most probably a fix for it.

This currently only affects some users, not all and most probably requires camera to be connected to the internet in order to receive the update for authorization, given that it affects older firmwares as well, or possibly an interaction with the official app.

I have a solution that was rejected by TPLink to be released. However, they are working on adding a new feature to the app that would allow integration to connect to cameras. They expect this to be released by mid-november 2024.

Users reported this problem in numerous issues, this issue will serve for tracking the progress on the fix and group all the conversation under one issue.

Workarounds

If you wish to use this integration, until this issue is resolved, you will need to either:

1. If your camera still works with integration: Block internet access of camera if you are using firmware build 230921 and higher
2. If your camera no longer works with integration: Block internet access and factory reset camera or Use older firmware than build 230921 and optionally factory reset camera

This post will stay uptodate with the most recent updates below.

2024-04-11:

First report of the issue at #549

2024-04-12:

Second report of the issue at #550 along with more users confirming the issue.

2024-04-13:

This thread has been created.

From my side, I have unblocked one of my camera on the latest firmware to reach the internet, so that hopefully I can get this update soon and work on a fix. I hope TPLink will provide detailed instructions on what has been changed so that I can work on a fix.

2024-04-19:

Added instructions about build number as some cameras have different versioning of firmwares.

I reached out to TP-Link after 7 days for any updates.

2024-04-23:

@reypm found a solution how to workaround this issue without downgrading the firmware:

1. Factory reset the camera (it remains with 1.3.11 Build 231117 firmware since I could not find a way to downgrade the firmware)
2. Entirely block Internet access for the camera
3. Reinstalled the component (this component)
4. Re-added the camera (by reinstalling the component it removes the old config)

TPLink is working on providing me with the solution, got a reply today that I need to wait a bit more.

2024-05-08:

I have some very good news and a little bit of concerning news.

Good news:

1. Today I was finally affected with this on one of my cameras which allowed me to conduct research and I spent my whole day working on that.
2. I now know how to solve this, I just need to figure out some of the remaining details and implement the changes which should not take more than a few weekends of active work. There is a lot of work involved but it can be done and I now know roughly how.

Now the concerning news:

1. Integration will need to interact with tplink cloud to get the new password. This is possibly a one time job, but I do not know yet, it might expire and get a new password if it no longer works. I will need to find a way to detect this as well but thats just a little detail.
2. Due to integration's need to interact with TPLink cloud I have reached out to TPLink for their permission. If they refuse, there is no way how to implement this unless someone else makes a script to extract the pwd AND the pwd does not change, ever. Which would also make the set up harder for everyone.

2024-05-15:

See #551 (comment)

2024-05-18:

See #551 (comment)

2024-05-29:

See #551 (comment)

2024-06-25:

See #551 (comment)

2024-07-03:

See #551 (comment)

2024-07-16:

See #551 (comment)

2024-07-18:

See #551 (comment)

2024-07-20:

See #551 (comment)

2024-07-31:

See #551 (comment)

2024-08-12:

See #551 (comment)

2024-08-19:

See #551 (comment)

2024-09-16:

See #551 (comment)

2024-09-20:

See #551 (comment)

[reypm]

I am using the iOS app and everything is working fine. My camera is a Tapo C110 with Firmware Version 1.3.11 Build 231117 Rel. 47346n(5553) and as of today is not working.

// image removed.

[JurajNyiri]

@reypm have you opened and used the app just before it stopped working or only after?

[reypm]

@JurajNyiri Yes, everything is working as expected and nothing has changed on my end with the app, I do keep my iOS apps up to date most of the time, not sure when the Tapo app did update to the latest

[wavemop]

Operating System: Android
App version: 3.2.976
Camera: C200 (Hardware-Version 3.0)
Firmware version: 1.3.13

pytapo output is: "Exception: Invalid authentication data"

I'm really hoping tp-link is calling you soon ;)

[reypm]

@JurajNyiri I am using this other custom component repository as well and today I noticed it disconnected some of my Tapo devices, upon research some people reported issues in their issues and the problem was fixed with version 3.1.0. I updated the component today and is working fine, I am using the very same creds I am using with your component, you can maybe take something from there or just take a look

Disclaimer: I am not advertising the other repository at all just providing some help to get the issue fixed ASAP

[JurajNyiri]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

[scetu]

I have 3x C200 with 1.3.11 sice December (#472 (comment)) with blocked DNS (only NTP is enabled - otherwise they are in zombie state) and so far no major issues.

[reypm]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

[JurajNyiri]

Blocking the access after having the issue will not help — and I am not sure if it helps at all even when not having issue as the update might be pushed through the app. In order to use the camera you will either need to wait or follow steps in main post in this issue - downgrade firmware.

[jjvelar]

Hi @JurajNyiri
I have 1.3.9 firmware but no issues with integration version 5.4.17.
Should I then update the integration to version 5.4.17PSA?
Thanks,

José

[JurajNyiri]

5.4.17PSA Has nothing new. It’s a way how to get the information to the end users and help them prevent having issues.
You will soon be affected most probably unless it is fixed by then.

[mbentancour]

Thanks for pushing the PSA as an "update". I would have missed this if it wasn't for it. I block internet access to all my cameras but from time to time I update the firmware just to keep them up-to-date. It would be a lot of work to factory reset them just to get them to work again.

I see you have the "help wanted" tag, I have a C200 that I can use for testing, and I might be able to do some python debugging if that helps.

[scetu]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

[jsapede]

hello,
my cameras are C210 1.3.13 but fully blocked internet since some weeks. Still working at this time.
is there a documented procedure and firmware ressource for downgrade ?

[jakwarrior]

Thanks for this "update", I would have missed the issue without it. I'm using a Tapo C200 with firmware 1.3.9 Build 231019 according to the integration. I've just blocked updates with AdGuard filters, and I haven't launched the Android app. So far, everything is still working perfectly.

[petretiandrea]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

Hi, actually I'm not calling the "cloud", so no "cloud password". My integration is completely based on local communication.
My library is using KLAP protocol

[Write]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

Just to be entierly precise : this doesn't block their internet access per se, if the firmware contains direct IP address Pi-Hole won't be able to block it. Hence, why I'd try to block their internet access at the router level. Most consumer router from ISP comes with a "child protection mode" to block internet from specific devices at specific time, which is what I would do if I didn't have a "true" configurable router.

However, this would also block NTP (Server to which the device request to, to get current time and date) requests too.

That's the solution I use at my mom's house, and it works perfectly fine, with an automation to force sync date / time from HA to Tapo devices.

alias: "camera : Sync Tapo Time"
description: ""
trigger:
  - platform: time_pattern
    minutes: /5
condition: []
action:
  - service: button.press
    data: {}
    target:
      entity_id:
        - button.tapo_salon_sync_time
        - button.tapo_entree_sync_time
mode: single

[PeteDenmark]

Mine are still working (well - as "well" as they always have).

Have now blocked their internet access in my router, just because there is no need for them to have internet access.

Cams: Tapo C200 (two of them)
App version: 3.2.976
Firmware: 1.3.13 Build 240327 Rel.63336n(4555)
Hardware: 3.0
Android
Haos
WebRTC for streaming

[sgurgul]

I believe accessing (or not) cameras from mobile Tapo application might explain why some cameras still operates well.

I manage 3 locations with different set of users, all having same Tapo C100/C110 cameras, with same firmware versions (1.3.9 & 1.3.11, depending on the camera model).

Two locations are "broken" since last few days - HA claiming authorization errors. 3rd one still works smoothly.

The difference is that in two broken locations users use Android Tapo application to monitor cameras. 3rd location is only integrated with HA. I made some experiments in this 3rd location - resetting camera, resetting HA, even removing and adding integration in HA - everything still works smoothly.

All locations & cameras has an Internet access so this factor does not seems to explain the phenomenon in my case.

[JurajNyiri]

I got another update from TPLink. (Deleting above recent update since it has less / duplicate info to keep this thread clean).

TPLink is preparing a new cloud API endpoint for this integration in order to get the cloud token without the need to go through their cloud exactly like the app and my currently prepared solution.

They estimate this will be done by end of June but they are not certain and the deadline might change.

This is good and bad news for us.

It means we will have to wait longer for a solution and all the work (weeks) I spent working on it is now not going to be able to be used and released for everyone here, which makes me sad, but I learned a lot in the process.

However, this is also very good in my opinion. It means, they are indeed trying to keep this integration working well. Which is in my opinion very good news for open source and TP-Link products and their customers. To me, it shows their intent to work with open source projects and open home.
It also means, whatever solution they prepare will be official, will not break unintentionally and will be above board, which makes this integration more stable in the future.

What to do now?

For the affected users, at this point your option is to downgrade the firmware if you wish to use this integration in the meantime.

If you are not affected with this issue yet, and are running the recent firmware higher than build 230921 block internet access of the camera now.

Next steps

Once I receive an update from TPLink I will work on integrating it and releasing it ASAP. If I do not get an update by July 1st, I will send a reminder.

[bucker00]

Oh man, I feel for ya - appreciate all your hard work on this!

[MLammerding]

Thx a lot for your work!👍🏻🚀
Is there a chance to update the list of the old firmwares? The latest list is 7 month old now
Thx in advance!✌🏻

[JurajNyiri]

@MLammerding these are not tracked or maintained by me. I do not know where and how the author got them. In any case, you do not want firmware newer than 7 months for this integration. You need build before 230921.

[fredrikhaggbom]

Thanks for your work @JurajNyiri! Much appreciated, and I think an official interface from TP-link is best in the long run.

Not sure this has been mentioned before (at least it wasn't clear to me), but the downgrade process was very easy and I didn't need to factory reset the camera (which means I didn't have to reconfigure anything, all settings was preserved after the downgrade). The process I did (with my two C320WS cameras):

1. Downgraded according the process described above.
2. Rebooted camera. All settings was still there and I was able to connect to it in the Tapo-app as before.
3. Reauthorised the camera in this integration in Home-assistant. Nothing else was changed (same entity names and so on).
4. Disabled the auto-update feature for the cameras in the Tapo-app to prevent it from automatically update the cameras firmware.

[DaveAuld]

TIP:
While we wait for the solution, if you don't want to go through the hassle of downgrading all the cameras, you can always use the ONVIF integration then in your dashboards, comment out your existing Tapo entities and replace with the ONVIF equivalent
The camera username and password remains the same when configuring the ONVIF devices and the port is 2020.
I have just switched over 6 cameras doing this, and will at least give me the feeds from the cameras for the time being.

[JurajNyiri]

Unfortunately I was forced to lock this due to too many off topic and duplicate posts sending notifications out to everyone watching this issue. This was after more than 3 warnings were sent previously and users ignoring these.

Every information you need regarding this issue is in the main post at the top.

If you have anything new and valuable to share feel free to email me.

[JurajNyiri]

I saw an increase of messages on Discord talking about inactivity on this issue.

If you are wondering what is new, I am waiting for TPLink to send me instructions about endpoint they are developing specifically for this and this integration that should be done around end of June the last I heard from them.

See this message for more details and how to get your camera working in the meantime.

[JurajNyiri]

I have sent an email to TPLink asking for an update on the new API endpoint they are developing.

[JurajNyiri]

I have not received an answer back since the last time I reached out 2 weeks ago. I have sent a reminder today asking for an update regarding endpoint availability.

[JurajNyiri]

I have enabled discussions on this repository. Feel free to discuss this there, please avoid any heated conversations as always. This is frustrating for everybody in here, but at this point there is nothing else to do other than to wait.
You can follow a guide for downgrading.

[JurajNyiri]

Guide to add camera with firmware build 230921 and higher

1. Block internet access to this device on your router.
2. Make a factory reset, pressing 5 seconds on the reset button.
3. Remove the camera from tapo app, and add it again.
4. When asks to reset it completely, do it, and configure the camera again.
5. Create the account credentials for your camera.
6. Configure it in home assistant and done.

Discovered & Documented by @vitorsemeano, discuss at #625 (comment) .

[JurajNyiri]

Updated guide on how to get the cameras working with HA even with new firmware here.

This issue is going to be kept locked and for updates on resolution only. If you wish to discuss, you can do so at https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/discussions/categories/discuss .

[JurajNyiri]

I have not received an answer back for the last 2 times I reached out for the past month.

I have sent a reminder today asking for an update regarding endpoint availability, and reminded that I already have a working solution if there are issues with the endpoint implementation. I also offered to go to a meeting if they have any questions.

[JurajNyiri]

I received an answer from TPLink on Aug 9 (last Friday).

They apologize for the delay and ask me to wait for the decision (they have not mentioned the new endpoint).

I responded and asked them to let me know if they require any further details or information that can speed up the process. I have also mentioned that a lot of users are now affected by this forcing them to block internet connection, or downgrade firmware.

[JurajNyiri]

TP-Link has requested to review the code on Friday, Aug 16, that I have prepared that has the ability to retrieve cloud issued token. I have shared both the pytapo and this integration new version along with very detailed description of everything and how to run with them and am waiting for them to get back to me.

[JurajNyiri]

I have sent a reminder today to TPLink since there has been no answer since 2024-08-16 when I sent them code and documentation they requested for a review.

Again, I have offered to go on a meeting if there is a need in order to speed this up. I asked them if they have any additional questions and asked for an approval to use cloud inside this integration.

[JurajNyiri]

I received an answer from TPLink today.

They have thoroughly reviewed the code I sent them and they DO NOT AUTHORIZE the release of the new integration version communicating with cloud.

The reason stated is, simply, it would expose details on how to communicate with their cloud and then anyone could do it.

Further, they state that protecting their users' data and ensuring secure communications are their top priorities, and they cannot take on the additional risks that this integration would entail.

In a response, I have addressed their stated reasons for rejection with my disagreement, but understanding, and tips on how they can improve the cloud architecture & security so that these are not problems for them in the future, even if someone finds a way how the app communicates with cloud. I cannot document the exact reasons and details of them as I would be going against their wishes.

However, they also stated that they are now working on a new version of application, that would allow the cameras with new firmwares to be used inside this integration, just like before the changes. I asked for more implementation details on that.

They expect this feature to be completed and launched by mid-November.

While this is all very disappointing, I am glad to see their focus on getting the newest firmwares to work with this integration (and Home Assistant) again and that they have it already planned. My hope is that it also means the integration would stay fully local. I asked for confirmation on that as well.

I sent them 5 questions in total:

1. Previously, you mentioned that there would be a new cloud endpoint. Is this the solution or was that work cancelled?
2. How will it work compared to the solution with cloud issued token that is present today? Are you planning to allow users to set a password for control in addition to an RTSP account, or some other solution?
3. Would this mentioned solution be fully local, not requiring communication with the cloud?
4. Would this work on the newest firmware of the cameras and would it require firmware to be updated to a new version?
5. Could you please share any planned changes needed on the integration side, so that I can prepare for this change?