TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years(github.com)
233 points by BadChemical 1 day ago | 87 comments
tl;dr: TP-Link Kasa Spot EC71 cameras exposed precise home GPS coordinates, hardware IDs, and device metadata via a single unauthenticated UDP packet to port 9999 — a flaw in TP-Link's Smart Home Protocol publicly documented since 2016 and specifically identified on Kasa cameras in 2020. The firmware also contained fleet-wide RSA keys and stored TP-Link ID credentials as unsalted MD5 hashes, enabling cross-domain account takeover across Tapo, Deco, and VIGI products, with residual data on factory-reset devices creating a secondhand-market attack path. TP-Link patched the issues in firmware 2.4.1 after six months of coordinated disclosure.
HN Discussion:
  • IoT devices shouldn't be on the public internet, especially cheap Chinese hardware with security holes
  • Article overstates the severity since LAN-only exposure means attacker likely already knows location
  • Widespread problem of devices leaking location data via unencrypted protocols to uncontrolled endpoints
  • Firsthand confirmation of the brutal disclosure timeline, bricked device, and unresolved factory reset issue
  • Local network API access is reasonable and desirable; this issue is overblown compared to router vulnerabilities