Bỏ qua đến nội dung chính
Back to home
Tech AI 2 min read

TP-Link Kasa Cameras Leaked Home GPS Data via Unauthenticated UDP for 6 Years 🚨

A severe security vulnerability in TP-Link Kasa EC71 cameras allowed unauthenticated attackers to harvest users' precise GPS coordinates for six years.

Tier 2 · sources 51% confidence Reviewed
Sources github.com

According to security researchers, the TP-Link Kasa EC71 security camera has been continuously leaking precise household GPS coordinates via unauthenticated and unencrypted UDP packets for the past six years. This critical security flaw raises major questions about the security testing and quality control processes of smart device manufacturers.

Detailed Timeline

The security research published on July 17, 2026, reveals that TP-Link's Kasa EC71 camera automatically broadcasts UDP packets containing the device's GPS coordinates within the local network. Notably, this mechanism has been active since the product's launch without any security barriers. Anyone with access to the same Wi-Fi network, or through man-in-the-middle attacks, can easily intercept these packets to pinpoint the physical location of the household.

Technical & Technology Analysis

Technically, the vulnerability stems from the implementation of the UDP protocol used for device discovery features. Instead of broadcasting basic identifiers or utilizing encrypted handshake mechanisms, the camera's firmware attaches raw GPS latitude and longitude coordinates as plain text. The lack of authentication means attackers only need to listen on default service ports to harvest this sensitive location data without needing to crack device passwords.

Expert Opinions & Remarks

Cybersecurity experts comment that this is a rudimentary design flaw with severe privacy implications. Exposing precise GPS coordinates of a home security camera can be exploited by malicious actors for physical tracking or targeted break-ins. The security community on Hacker News has expressed disappointment that a major brand like TP-Link allowed such a vulnerability to persist undetected for six years.

Impact & Future

This incident once again sounds the alarm on the security of Internet of Things (IoT) devices in modern homes. For users owning the Kasa EC71 camera, the immediate recommendation is to check and update to the latest firmware if available, or isolate smart home devices on a separate virtual local area network (VLAN) to prevent sensitive location leaks.