TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
Your Kasa camera may have been broadcasting your exact location since 2016.
A comprehensive security analysis of the TP-Link Kasa Spot EC71 indoor camera (firmware 2.3.26) has revealed three critical vulnerabilities that collectively compromise device and user privacy. Researcher Christopher Childress extracted the firmware via a CH341A programmer and confirmed that the camera broadcasts precise GPS coordinates over an unauthenticated UDP protocol—allowing anyone on the same network to capture the home location without any login or encryption. The device also shipped with a fleet-wide RSA private key and stored user credentials using unsalted MD5 hashes. These issues are tracked as CVE-2026-9770 (RSA/IAM) and CVE-2026-13230 (GPS) and have been remediated in firmware v2.4.1. The GPS exposure is particularly concerning: it was publicly known since August 2020 across TP-Link's camera lineup and since July 2016 for the underlying unauthenticated protocol. TP-Link had fixed an identical class of vulnerability in its smart plug product line in November 2020, but failed to apply the same fix to cameras, resulting in six additional years of exposure.
The coordinated disclosure process, initiated on January 5, 2026, revealed a pattern of incremental patching rather than a comprehensive security redesign. The vendor acknowledged the GPS finding in March 2026 but requested several extensions, citing performance stability issues during a 60% grayscale firmware rollout. At one point, the vendor's triage response incorrectly referenced an MD5 hash field not present in the actual payload, indicating the report was not thoroughly reviewed before response. The researcher eventually submitted a video proof-of-concept to document the triage failure. Beyond the network-level GPS leak, Childress also identified a secondary-market attack path: devices returned to factory settings still retain the previous owner's credentials and GPS coordinates, allowing a buyer to recover that data. This finding highlights the need for hardware-level secure erase features in IoT devices.
- Kasa Spot EC71 cameras leaked GPS coordinates over unauthenticated UDP—no password or encryption required.
- The GPS vulnerability was known since 2016 and a fix for smart plugs existed since 2020, but cameras were left exposed for 6 more years.
- Factory reset does not properly clear credentials or GPS data, enabling recovery of the previous owner's information on secondary-market devices.
Why It Matters
Millions of Kasa cameras have been exposing homeowners' precise GPS locations for years with zero authentication required.