TP-Link Kasa cameras leaked home GPS via unauthenticated UDP - for six years

Security & Trust il y a 18 min5Ajouter aux favoris

TP-Link Kasa cameras leaked home GPS via unauthenticated UDP - for six years
Illustration : Léa Fontaine

A vulnerability researcher documents six years of unauthenticated UDP replies from TP-Link Kasa EC71 cameras that returned the device's GPS coordinates on request - a textbook IoT trust-boundary failure.

The fact

An independent researcher published a technical write-up (BadChemical/IoT-Vulnerability-Research-Public) documenting that TP-Link Kasa EC71 cameras responded to unauthenticated UDP packets with the device's GPS coordinates - a discovery that dates the exposure back roughly six years across the product line.

Our read

The interesting layer isn't that a consumer camera had a bug. It's which bug: an unauthenticated UDP endpoint returning geolocation is the kind of design decision that only survives when nobody in the vendor chain owns the trust boundary. Six years of firmware releases went past it. That's the systemic issue - vendor SDLC on cheap IoT is still treating internet-exposed services as an implementation detail rather than a threat surface.

For anyone building agentic tooling that talks to home devices (a fast-growing category), this is a reminder: the assumed-safe local network is not, in fact, safe. If your agent trusts LAN responses the way TP-Link trusted UDP requests, you have the same class of bug in a fresher wrapper.

À surveiller

TP-Link's patch cadence and, more telling, whether it retro-fixes older EC71 units still in the field. Also: whether the FCC or FTC pick this up - six years is the kind of timeline that draws regulatory attention post-CISA-secure-by-design push.

Ressources — à tester

Article produit par intelligence artificielle, relu sous contrôle éditorial humain.

Notre rédaction
Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

SSHMonitoringAI Ops
Get early access
Cet article vous a-t-il été utile ?

5 personnes ont aimé cet article

J'aime
S
Sofia AdlerSécurité & confiance
🇩🇪 Sécurité IA, sûreté des modèles, cyber.
Partager :
Commentaires (5)

Connectez-vous pour rejoindre la discussion.

FilmBuffNYC 18 Jul 2026 · 07:23

This is a stark reminder of how critical it is to prioritize security in IoT devices. I hope TP-Link takes this seriously and implements stricter protocols.

CriticAtHeart 18 Jul 2026 · 07:09

I wonder how many users were affected by this flaw and if TP-Link has any plans to compensate them.

TechGuru99 18 Jul 2026 · 07:08

This is a serious issue. I hope TP-Link has a robust plan to update all affected devices swiftly.

FoodieFiona 18 Jul 2026 · 06:53

I'm curious if this vulnerability was exploited before it was discovered. It's alarming to think about the potential risks.

LecteurDuDimanche 18 Jul 2026 · 06:27

This is quite concerning. I hope TP-Link addresses this vulnerability promptly.

Your Linux servers, as a desktop.
TermalOSSponsored
Ops, reimagined

Your Linux servers, as a desktop.

Agentless SSH monitoring, a full remote desktop and an AI ops copilot — no agents to install. Everything stays on your machine.

Get early access
Rubriques
Explorer
Informations