TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
BadChemical
74 points
18 comments
July 17, 2026
Related Discussions
Found 5 related stories in 410.9ms across 14,015 title embeddings via pgvector HNSW
- TPM-Sniffing LUKS Keys on an Embedded Linux Device [CVE-2026-0714] Tiberium · 19 pts · March 01, 2026 · 52% similar
- Tenda firmware (multiple versions) contains hidden authentication backdoor miniBill · 121 pts · July 08, 2026 · 52% similar
- Bluetooth tracker hidden in postcard and mailed to warship exposed its location thunderbong · 19 pts · April 19, 2026 · 51% similar
- Bluetooth tracker in a postcard and mailed to a warship exposed its location tcp_handshaker · 18 pts · April 18, 2026 · 51% similar
- Bad Connection: Global telecom exploitation by covert surveillance actors miohtama · 123 pts · May 03, 2026 · 48% similar
Discussion Highlights (4 comments)
BadChemical
Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data. The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact. The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem. Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.
gruez
The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).
drnick1
This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
BobbyTables2
That disclosure timeline is brutal…