TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
A security analysis revealed TP-Link Kasa Spot EC71 cameras exposed precise home GPS data via unauthenticated UDP for years, alongside other critical vulnerabilities.
Intelligence analysis by Gemini 2.5 Flash
The Kasa Spot EC71 camera, and potentially other TP-Link camera products, were found to leak exact GPS coordinates without authentication, a vulnerability known since 2020 for cameras and 2016 for the underlying protocol. This, coupled with insecure credential storage and cryptographic failures, was patched after a six-month coordinated disclosure process.
Imagine your home security camera secretly shouting out your exact address to anyone nearby, even strangers, for many years. That's kind of what happened with some TP-Link Kasa cameras. A smart detective found out these cameras were leaking your home's secret location, along with other private info, because of some old mistakes in their design. It took a long time and a lot of effort to get the company to fix it, like trying to patch a leaky roof that's been dripping for ages.
Analysis
A Persistent Privacy Breach
The security advisory details a significant privacy vulnerability in TP-Link's Kasa Spot EC71 indoor cameras, where precise home GPS coordinates were exposed via unauthenticated UDP for an extended period. This specific GPS exposure has been publicly known across TP-Link's camera product line since August 2020, and the underlying unauthenticated protocol vulnerability dates back to July 2016. Despite TP-Link remediating an identical vulnerability in its smart plug line in November 2020, the fix was not extended to the camera products, indicating a pattern of incremental rather than comprehensive security reviews. The implications are severe, as an attacker could pinpoint a user's home location without needing to authenticate to the device or network.
Beyond the GPS leak, the analysis uncovered other critical vulnerabilities, including cryptographic failures related to a fleet-wide RSA key and the insecure storage of credentials using unsalted MD5 hashes. These flaws collectively compromised the confidentiality, integrity, and availability of the devices. A particularly concerning finding is a secondary market attack path, which allows for the recovery of previous owners' credentials and GPS coordinates from devices returned to factory settings, posing a risk even after a device is sold or discarded. This highlights a fundamental design flaw in how sensitive data is handled and purged from the devices.
The Arduous Disclosure Journey
The coordinated vulnerability disclosure process, initiated on January 5, 2026, was protracted and challenging, spanning six months. The timeline reveals several hurdles, including initial triage failures by the vendor, requests for extensions, and a significant incident where a beta firmware update (v2.4.00) permanently bricked the researcher's test device, requiring a hardware-level recovery and replacement. This incident underscores the complexities and risks involved in patching deeply embedded firmware and the potential for unintended consequences during remediation efforts. The vendor's initial commitment to remediate only 'issues related to the local communication TLS certificates' also suggests a limited understanding of the full scope of the reported vulnerabilities.
The researcher had to escalate the cross-domain compromise impact and submit additional proof-of-concept scripts for the GPS finding, which was initially overlooked or misunderstood by the vendor. The vendor's response to the GPS finding referenced an MD5 hash field not present in the reported payload, confirming a lack of thorough review. This required a rebuttal with video proof-of-concept to demonstrate the triage failure. The eventual remediation, spanning a 'multi component architectural redesign,' was finally implemented in firmware version 2.4.1, addressing CVE-2026-9770 (RSA/IAM) and CVE-2026-13230 (GPS), but only after considerable effort and persistence from the researcher.
Broader Implications for IoT Security
This case study serves as a stark reminder of the persistent security challenges within the Internet of Things (IoT ecosystem). The long-standing nature of the GPS vulnerability, coupled with the vendor's piecemeal approach to remediation, highlights a systemic issue where security is often an afterthought or addressed reactively rather than proactively. The fact that a similar vulnerability was patched in smart plugs but not extended to cameras suggests a lack of a unified security architecture or a comprehensive vulnerability management program across product lines. This fragmented approach leaves consumers exposed to known risks for extended periods.
The difficulties encountered during the coordinated disclosure process also shed light on the often-strained relationship between security researchers and product vendors. The need for persistent follow-ups, detailed rebuttals, and even video evidence to confirm findings indicates a gap in vendor security teams' capabilities or processes. For consumers, this means that even when vulnerabilities are identified and reported, the path to a secure device can be long and fraught with issues. The incident also emphasizes the critical role of independent security research in holding manufacturers accountable and pushing for better security practices in a rapidly expanding market of connected devices.
Key points
- TP-Link Kasa Spot EC71 cameras exposed precise home GPS coordinates via unauthenticated UDP for at least six years.
- The vulnerability was publicly known across TP-Link's camera line since August 2020, and the underlying protocol issue since July 2016.
- Additional vulnerabilities included fleet-wide RSA key reuse and insecure unsalted MD5 credential storage.
- The coordinated disclosure process took six months, involving vendor triage failures and a permanently bricked test device during beta firmware validation.
- All primary findings were remediated in firmware version 2.4.1, addressing CVE-2026-9770 and CVE-2026-13230.
The successful patching of these vulnerabilities means that users who update their Kasa Spot EC71 cameras to firmware 2.4.1 or newer will be protected from these specific privacy and security risks. This disclosure also raises awareness, potentially prompting other IoT manufacturers to review their products for similar long-standing, unauthenticated data exposure issues.
Despite the patch, many users may not update their firmware, leaving millions of devices vulnerable to precise location data exposure and other attacks. The slow and challenging remediation process, including a bricked test device, highlights the difficulties in securing complex IoT ecosystems and suggests that similar vulnerabilities might persist in other TP-Link or competitor products.

