TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years

github.com

142 points by BadChemical 14 hours ago


drnick1 - 9 hours ago

This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.

gruez - 10 hours ago

The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).

nubinetwork - 2 hours ago

The fact that a firmware upgrade bricked the camera doesn't bode well for their other products...

BobbyTables2 - 8 hours ago

That disclosure timeline is brutal…

AndyMcConachie - 4 hours ago

Why do people keep buying all this garbage and putting it in their homes?

BadChemical - 14 hours ago

Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data.

The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.

The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.

Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.