TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
TP-Link's Kasa EC71 camera exposed precise GPS coordinates via a 6-year-old unauthenticated protocol flaw, plus a fleet-wide RSA key and MD5 password storage.
Security researcher BadChemical uncovered three vulnerability chains in the firmware of TP-Link's Kasa Spot EC71 camera (v2.3.26): a hardcoded, fleet-wide RSA private key extractable via SPI flash, user passwords stored as unsalted MD5 hashes, and precise GPS location data exposed through an unauthenticated protocol. The GPS exposure traces back to a protocol-level flaw publicly known since 2016, and TP-Link had already fixed the identical issue in its smart plug line back in 2020 without ever extending that fix to its cameras.
The coordinated disclosure took over six months and included a beta firmware update that permanently bricked a test device, requiring hardware-level recovery and a replacement unit. A secondary-market attack path was also confirmed, allowing recovery of a previous owner's credentials and GPS coordinates from factory-reset devices.
The issues were tracked as CVE-2026-9770 (RSA key and credential storage, vendor CVSS 8.6) and CVE-2026-13230 (GPS exposure), both remediated in firmware 2.4.1. The case illustrates a broader pattern of vendors applying narrow, product-by-product patches rather than conducting a comprehensive architectural security review across a shared codebase.