> This is so bad that it must be intentional, right? Even though these are dirt cheap, they couldn't come up with $100,000 to check for run-of-the-mill vulnerabilities?

The camera sells for $17.99 on their website right now.

Subtract out the cost of the hardware, the box, warehousing, transit to the warehouse, assembly, testing, returns, lost shipments, warranty replacements, support staff, and everything else, then imagine how much is left over for profit. Let's be very optimistic and say $5 per unit.

That $5 per unit profit would mean an additional $100,000 invested in software development would be like taking 20,000 units of this camera and lighting them on fire. Or they could not do that and improve their bottom line numbers by $100,000.

TP-Link has a huge lineup of products and is constantly introducing new things. Multiply that $100,000 across the probably 100+ products on their websites and it becomes tens of millions of dollars per year.

The only way these ultra-cheap products are getting shipped at these prices is by doing the absolute bare minimum of software development. They take a reference design from the chip vendor, have 1 or 2 low wage engineers change things in the reference codebase until it appears to work, then they ship it.

It's been long known many older TP-Link IoT devices doesn't require any authentication to connect, as my Kasa HS300 strips. Later models requires the account credential [1], but I'm not surprised that they still left something wide open (e.g., WiFi config endpoint for provisioning). I tend to believe this is just poor software engineering (Hanlon's razor).

[1] https://www.home-assistant.io/integrations/tplink/

Some cameras that "charge" with USB also can use a USB network adapter (provided they can supply power).

For the tech savvy, there is thingino as a firmware alternative - works local only, no cloud, and supports mqtt etc.

Don't put them on untrusted networks. This always seemed obvious to me.

> I assume any Wi-Fi camera has basically the same problems.

ftfy