3 min read

TP-Link Kasa Cameras Exposed Home GPS for Six Years

TP-Link Kasa EC71 cameras exposed precise home GPS, hardware IDs, RSA keys, and hashed credentials until firmware 2.4.1.

Image: Hacker News

A security review of TP-Link’s Kasa Spot EC71 indoor camera found that an unauthenticated device query could expose the owner’s precise home coordinates over the local network. The issue existed in firmware 2.3.26, released with a April 25, 2024 build date, and was fixed in version 2.4.1.

Researcher Christopher Childress of BadChemical published the advisory on July 16, 2026, following coordinated disclosure that began on January 5, 2026. TP-Link Systems Inc. remediated three primary findings: fleet-wide RSA private keys, unsalted MD5 password storage, and unauthenticated GPS exposure.

Kasa EC71 GPS exposure

A single UDP packet containing {“system”:{“get_sysinfo”:{}}} sent to port 9999 returned JSON containing:

  • Precise GPS coordinates
  • Hardware identifiers, including oemId, hwId, deviceId, mac, and mic_mac
  • The user-assigned device name
  • The full firmware version

The protocol uses only a trivial XOR cipher, which Wireshark can decode as cleartext. No authentication, session credential, or prior device setup is required.

The coordinates are collected from the mobile device’s GPS during account creation and stored in the camera’s config/location file. They remain static unless manually synchronized and are returned regardless of whether the owner enabled Kasa’s geofencing feature.

Recommended reading

ClickLock Stealer traps macOS users with password prompts

The advisory says identical unauthenticated GPS exposure was publicly documented in August 2020 for TP-Link’s KC100 camera. The underlying unauthenticated Smart Home Protocol on port 9999 has been publicly documented since July 2016. TP-Link fixed an identical vulnerability class in its smart plug product line in November 2020, but did not extend that remediation to its camera line at the time.

RSA keys and password storage

The EC71 firmware contained two complete RSA key-and-certificate pairs shared across all devices running the affected build. The active pair used a 2048-bit RSA key issued in 2021 and valid until July 2031; a legacy 1024-bit pair issued in 2014 had expired in July 2024.

Both private keys could be extracted from the camera’s SPI flash. The active key matched the certificate served at runtime, potentially exposing the cryptographic material for the entire deployed fleet. The researcher did not demonstrate interception of active traffic, and an ARP-spoofing attempt did not capture local app-to-device data.

The camera also stored TP-Link ID credentials in config/account. The account email was kept in plaintext, while the password was stored as an unsalted MD5 hash. Because TP-Link ID credentials are used across services including Kasa, Tapo, Deco, Omada, Aginet, and VIGI, the advisory describes a potential cross-domain account takeover if the hash is recovered.

The firmware was extracted using a CH341A programmer connected to the SPI flash chip. A beta firmware update later left the test camera permanently unresponsive, requiring a replacement device and hardware-level recovery. TP-Link completed validation of beta 2.4.1 on June 25, 2026, and confirmed a staged rollout was underway the following day.

TP-Link assigned CVE-2026-9770 a CVSS 4.0 score of 8.6 for the RSA and credential findings. The GPS issue is listed as CVE-2026-13230, with TP-Link’s CVSS 4.0 score of 5.3; the researcher’s independent assessment rated it 7.1. Both were marked remediated in firmware 2.4.1.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

/ Keep reading