❗❗❗Invalid cloud password on firmware build 230921 and higher

[JurajNyiri]

Thread for invalid cloud password on firmware build 230921 and higher

Notice: This issue has been locked for discussion, and will be used to post updates only. Discuss or ask a question.

There has been reports of users on firmwares 1.3.8, and newer, or on some cameras other firmwares with build 230921 and newer of integration stopping to work. This shows as cloud password not being accepted.

I have been in touch with tplink regarding a security vulnerability I reported in the past and this is most probably a fix for it.

This currently only affects some users, not all and most probably requires camera to be connected to the internet in order to receive the update for authorization, given that it affects older firmwares as well, or possibly an interaction with the official app.

I have a solution that was rejected by TPLink to be released. However, they are working on adding a new feature to the app that would allow integration to connect to cameras. They expect this to be released by mid-november 2024.

Users reported this problem in numerous issues, this issue will serve for tracking the progress on the fix and group all the conversation under one issue.

Workarounds

If you wish to use this integration, until this issue is resolved, you will need to either:

1. If your camera still works with integration: Block internet access of camera if you are using firmware build 230921 and higher
2. If your camera no longer works with integration: Block internet access and factory reset camera or Use older firmware than build 230921 and optionally factory reset camera

This post will stay uptodate with the most recent updates below.

2024-04-11:

First report of the issue at https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/549

2024-04-12:

Second report of the issue at https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/550 along with more users confirming the issue.

2024-04-13:

This thread has been created.

From my side, I have unblocked one of my camera on the latest firmware to reach the internet, so that hopefully I can get this update soon and work on a fix. I hope TPLink will provide detailed instructions on what has been changed so that I can work on a fix.

2024-04-19:

Added instructions about build number as some cameras have different versioning of firmwares.

I reached out to TP-Link after 7 days for any updates.

2024-04-23:

@reypm found a solution how to workaround this issue without downgrading the firmware:

1. Factory reset the camera (it remains with 1.3.11 Build 231117 firmware since I could not find a way to downgrade the firmware)
2. Entirely block Internet access for the camera
3. Reinstalled the component (this component)
4. Re-added the camera (by reinstalling the component it removes the old config)

TPLink is working on providing me with the solution, got a reply today that I need to wait a bit more.

2024-05-08:

I have some very good news and a little bit of concerning news.

Good news:

1. Today I was finally affected with this on one of my cameras which allowed me to conduct research and I spent my whole day working on that.
2. I now know how to solve this, I just need to figure out some of the remaining details and implement the changes which should not take more than a few weekends of active work. There is a lot of work involved but it can be done and I now know roughly how.

Now the concerning news:

1. Integration will need to interact with tplink cloud to get the new password. This is possibly a one time job, but I do not know yet, it might expire and get a new password if it no longer works. I will need to find a way to detect this as well but thats just a little detail.
2. Due to integration's need to interact with TPLink cloud I have reached out to TPLink for their permission. If they refuse, there is no way how to implement this unless someone else makes a script to extract the pwd AND the pwd does not change, ever. Which would also make the set up harder for everyone.

2024-05-15:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2111341474

2024-05-18:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2118381739

2024-05-29:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2137323663

2024-06-25:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2189695781

2024-07-03:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2205580658

2024-07-16:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2230580891

2024-07-18:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2235950853

2024-07-20:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2241111249

2024-07-31:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2260750095

2024-08-12:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2283986721

2024-08-19:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2296393379

2024-09-16:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2353307429

2024-09-20:

See https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/551#issuecomment-2363817573

[reypm]

I am using the iOS app and everything is working fine. My camera is a Tapo C110 with Firmware Version 1.3.11 Build 231117 Rel. 47346n(5553) and as of today is not working.

// image removed.

[JurajNyiri]

@reypm have you opened and used the app just before it stopped working or only after?

[reypm]

@JurajNyiri Yes, everything is working as expected and nothing has changed on my end with the app, I do keep my iOS apps up to date most of the time, not sure when the Tapo app did update to the latest

[Seb-]

Hello, I have the issue on C210 with firmware 1.3.11, cloud password no longer accepted in HA. Do you need any more information?

Thank you for the heads up!

[wavemop]

Operating System: Android App version: 3.2.976 Camera: C200 (Hardware-Version 3.0) Firmware version: 1.3.13

pytapo output is: "Exception: Invalid authentication data"

I'm really hoping tp-link is calling you soon ;)

[reypm]

@JurajNyiri I am using this other custom component repository as well and today I noticed it disconnected some of my Tapo devices, upon research some people reported issues in their issues and the problem was fixed with version 3.1.0. I updated the component today and is working fine, I am using the very same creds I am using with your component, you can maybe take something from there or just take a look

Disclaimer: I am not advertising the other repository at all just providing some help to get the issue fixed ASAP

[JurajNyiri]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

[scetu]

I have 3x C200 with 1.3.11 sice December (https://github.com/JurajNyiri/HomeAssistant-Tapo-Control/issues/472#issuecomment-1845959412) with blocked DNS (only NTP is enabled - otherwise they are in zombie state) and so far no major issues.

[reypm]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

[JurajNyiri]

Blocking the access after having the issue will not help — and I am not sure if it helps at all even when not having issue as the update might be pushed through the app. In order to use the camera you will either need to wait or follow steps in main post in this issue - downgrade firmware.

[jjvelar]

Hi @JurajNyiri I have 1.3.9 firmware but no issues with integration version 5.4.17. Should I then update the integration to version 5.4.17PSA? Thanks,

José

[JurajNyiri]

5.4.17PSA Has nothing new. It’s a way how to get the information to the end users and help them prevent having issues. You will soon be affected most probably unless it is fixed by then.

[mbentancour]

Thanks for pushing the PSA as an "update". I would have missed this if it wasn't for it. I block internet access to all my cameras but from time to time I update the firmware just to keep them up-to-date. It would be a lot of work to factory reset them just to get them to work again.

I see you have the "help wanted" tag, I have a C200 that I can use for testing, and I might be able to do some python debugging if that helps.

[scetu]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

[jsapede]

hello, my cameras are C210 1.3.13 but fully blocked internet since some weeks. Still working at this time. is there a documented procedure and firmware ressource for downgrade ?

[jakwarrior]

Thanks for this "update", I would have missed the issue without it. I'm using a Tapo C200 with firmware 1.3.9 Build 231019 according to the integration. I've just blocked updates with AdGuard filters, and I haven't launched the Android app. So far, everything is still working perfectly.

[petretiandrea]

@petretiandrea any idea if this might be related? I know your integration uses different communication method completely.

Hi, actually I'm not calling the "cloud", so no "cloud password". My integration is completely based on local communication. My library is using KLAP protocol

[Write]

with blocked DNS (only NTP is enabled - otherwise they are in zombie state)

@scetu what does this mean? is there a guide for this?

Use AdGuard Home or Pi-Hole and add custom rules for filtering

||tplinknbu.com^$important
||iot.i.tplinknbu.com^$important
||tplinkcloud.com^$important

Just to be entierly precise : this doesn't block their internet access per se, if the firmware contains direct IP address Pi-Hole won't be able to block it. Hence, why I'd try to block their internet access at the router level. Most consumer router from ISP comes with a "child protection mode" to block internet from specific devices at specific time, which is what I would do if I didn't have a "true" configurable router.

However, this would also block NTP (Server to which the device request to, to get current time and date) requests too.

That's the solution I use at my mom's house, and it works perfectly fine, with an automation to force sync date / time from HA to Tapo devices.

alias: "camera : Sync Tapo Time"
description: ""
trigger:
  - platform: time_pattern
    minutes: /5
condition: []
action:
  - service: button.press
    data: {}
    target:
      entity_id:
        - button.tapo_salon_sync_time
        - button.tapo_entree_sync_time
mode: single

[PeteDenmark]

Mine are still working (well - as "well" as they always have).

Have now blocked their internet access in my router, just because there is no need for them to have internet access.

Cams: Tapo C200 (two of them) App version: 3.2.976 Firmware: 1.3.13 Build 240327 Rel.63336n(4555) Hardware: 3.0 Android Haos WebRTC for streaming

[sgurgul]

I believe accessing (or not) cameras from mobile Tapo application might explain why some cameras still operates well.

I manage 3 locations with different set of users, all having same Tapo C100/C110 cameras, with same firmware versions (1.3.9 & 1.3.11, depending on the camera model).

Two locations are "broken" since last few days - HA claiming authorization errors. 3rd one still works smoothly.

The difference is that in two broken locations users use Android Tapo application to monitor cameras. 3rd location is only integrated with HA. I made some experiments in this 3rd location - resetting camera, resetting HA, even removing and adding integration in HA - everything still works smoothly.

All locations & cameras has an Internet access so this factor does not seems to explain the phenomenon in my case.

[Zackptg5]

I have a C210 that's been updated to 1.3.11 and it's been working fine, maybe only some devices are affected

[LeOS-GSI]

I'm sing a C200 with 1.3.13 firmware and I'm using no cloud, all running only local. So why do I need this 'cloud' password which I don't have ?

What can I do to get the camera back in my HA ?

The camera is show fine in Tapo app on my Android devices

[Write]

I'm sing a C200 with 1.3.13 firmware and I'm using no cloud, all running only local. So why do I need this 'cloud' password which I don't have ?

What can I do to get the camera back in my HA ?

The camera is show fine in Tapo app on my Android devices

Rollback their firmware as stated in the first post. He is still investigation the issue.

[LeOS-GSI]

I'm sing a C200 with 1.3.13 firmware and I'm using no cloud, all running only local. So why do I need this 'cloud' password which I don't have ? What can I do to get the camera back in my HA ? The camera is show fine in Tapo app on my Android devices

Rollback their firmware as stated in the first post. He is still investigation the issue.

OK; but .... there is no way to downgrade, because there is no firmware archive available for my device

[scetu]

I'm sing a C200 with 1.3.13 firmware and I'm using no cloud, all running only local. So why do I need this 'cloud' password which I don't have ? What can I do to get the camera back in my HA ? The camera is show fine in Tapo app on my Android devices

Rollback their firmware as stated in the first post. He is still investigation the issue.

OK; but .... there is no way to downgrade, because there is no firmware archive available for my device

You can follow downgrade proccess from here https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/4 Here is actual list of firmwares https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/4#issuecomment-1774137539

I went through it previously

[LeOS-GSI]

I'm sing a C200 with 1.3.13 firmware and I'm using no cloud, all running only local. So why do I need this 'cloud' password which I don't have ? What can I do to get the camera back in my HA ? The camera is show fine in Tapo app on my Android devices

Rollback their firmware as stated in the first post. He is still investigation the issue.

OK; but .... there is no way to downgrade, because there is no firmware archive available for my device

You can follow downgrade proccess from here nervous-inhuman/tplink-tapo-c200-re#4 Here is actual list of firmwares nervous-inhuman/tplink-tapo-c200-re#4 (comment)

I went through it previously

THX, but I own a v3.20. And the firmware is for v1

[andrewleech]

I've just got a C120 and was expecting to run into this issue as we want to use tapo app as well as HA. When setting up the app as a new user, the wizard highlighted that the camera should have its firmware updated and let me pick a time for the auto-update to happen. It also alerted to to where in the app device settings I could disable auto firmware update.

So yes, firmware update is scheduled by the app, and can be turned off.

Edit: sorry these screenshots are large, feel free to hide them but I thought it might be useful for others to see how to turn off firmware updates if they haven't got the new version already, or for after a downgrade.

Side note, I am a python developer and work on other home assistant integrations already. If I was to let my app upgrade the rather old firmware and the integration broke, do you have thoughts on what sort of work / help would be required to get this fixed properly?

Edited (JN): Made images smaller.

[JurajNyiri]

Automatic updates can be also simply turned off via HA:

@andrewleech if you would like to help please reach out to me on discord and if you are able to replicate the issue I can guide you on how we can debug this and fix. I am currently stuck not affected unfortunately so I cannot do anything. No news from TPLink as well.

[fredericomcorda]

So I just bought the C200 v3, I knew about HACS integration then I just setup everything and let the FW update. Then I saw this issue. I've followed the downgrade process, but I still have the "cloud authentication error". Let me know if I can provide more info, and thanks for this awesome work.

Operating System: iOS App version: 3.3.107 (TAPO APP) Camera: C200 v3 Firmware version: 1.3.8 (downgraded from 1.3.13 to > Tapo_C200v3_en_1.3.8_Build_230921_Rel.14633n_up_boot-signed_1695870480542)

[JurajNyiri]

If you have downgraded you will also need to remove the camera from your account, factory reset, add back to your account and ensure you are entering correct credentials.

If it does not work try downgrading further and let us know which firmware worked so that we know which firmwares are affected as this is currently not verified.