2 min read

TP-Link Kasa camera exposed home GPS for years

Researcher Christopher Childress says TP-Link’s Kasa Spot EC71 leaked precise home GPS data over unauthenticated UDP until firmware 2.4.1.

Image: Hacker News

A patched TP-Link Kasa Spot EC71 flaw exposed a user’s precise home GPS coordinates to anyone on the local network with a single unauthenticated UDP request, according to security researcher Christopher Childress. The issue, tracked as CVE-2026-13230, was fixed in firmware 2.4.1 after a disclosure process that began on January 5, 2026 and ended with publication on July 14, 2026.

Childress’s advisory also describes two other flaws remediated in v2.4.1: a fleet-wide RSA private key embedded in firmware and unsalted MD5 storage for TP-Link ID credentials. The researcher analyzed firmware from version 2.3.26 for the Kasa Spot EC71, physically extracting it from the camera’s SPI flash and combining that with network packet and hardware analysis.

What the camera exposed

According to the report, sending {“system”:{“get_sysinfo”:{}}} to port 9999 returned a JSON response containing:

  • GPS coordinates
  • Hardware identifiers including oemId, hwId, deviceId, mac, and mic_mac
  • The user-assigned device alias
  • The full firmware version string

The data was protected only by a simple XOR cipher, which the researcher said Wireshark can decode natively. No authentication, session token, or prior setup was required.

Recommended reading

CISA Flags Two Critical FortiSandbox Bugs Under Attack

Childress says the camera stores GPS coordinates taken from the mobile device during account creation and keeps them permanently in firmware unless manually synced. The advisory argues this behavior had been publicly documented in related TP-Link products for years: the unauthenticated port 9999 protocol dates back to July 2016, and similar GPS leakage on a TP-Link KC100 camera was documented in August 2020.

Other patched flaws and disclosure timeline

The advisory’s other major finding, CVE-2026-9770, covered hardcoded RSA keys and insecure credential storage. Childress says the active 2048-bit RSA private key was identical across all devices on that firmware build, while user credentials were stored in config/account with the email address in plaintext and the password as an unsalted MD5 hash.

The disclosure process stretched over six months and included delays, a requested extension, and a failed beta update. On June 15, 2026, beta firmware 2.4.00 permanently bricked the test device, according to the advisory, and TP-Link later confirmed there was no software recovery path. A replacement unit running beta 2.4.1 was validated on June 25, 2026, with the researcher confirming that all primary findings were fixed.

TP-Link began a staged rollout over 1.5–2 weeks on June 26, 2026. The patched release is firmware 2.4.1.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via Hacker News

// Keep reading