Your TP-Link Kasa security camera has been broadcasting your precise home coordinates to any device on your local network — no password required — and this has been the case for roughly six years. TP-Link disclosed two vulnerabilities in its Kasa EC70 and EC71 v4 cameras on July 16, covering an unauthenticated GPS leak and a set of hardcoded encryption keys shared across every camera the company has ever shipped. Patches are available. Most devices are not yet updated.
One Packet, Your Home Address
CVE-2026-13230 is deceptively simple. Any device on the same network as a Kasa camera can send a single UDP packet to port 9999:
{"system":{"get_sysinfo":{}}}
The camera responds with its GPS coordinates, MAC address, hardware ID, and device alias — “Living Room Camera,” “Front Door,” whatever the owner named it. The only protection in place is a trivial XOR cipher that Wireshark renders as cleartext by default. The coordinates come from the mobile phone used during setup and are permanently stored in the device’s filesystem. They do not expire. They do not rotate. They sit there, answering anyone who asks.
TP-Link rates this CVE at 5.3 (Medium). The independent researcher who found it, publishing as BadChemical on GitHub, rates it 7.1 — and that gap is worth noting. A vendor rating a flaw that silently exposes your home location to anyone on your Wi-Fi as “medium severity” tells you something about how IoT vendors weigh user privacy against reputational cost.
The Key That Unlocks Every Camera
CVE-2026-9770 (CVSS 8.6 — High) is worse. Digging into the firmware, BadChemical found two complete RSA key pairs — the same ones, embedded identically across every EC70 and EC71 ever manufactured. One is a legacy 1024-bit pair from 2014. The other is an active 2048-bit pair issued in 2021, valid until 2031. Extract the private key from any single device, and you hold the decryption material for communications across the entire deployed fleet.
There is an additional layer of bad news. User credentials are stored as unsalted MD5 hashes with the account email in plaintext. An attacker who buys a used Kasa camera, extracts its flash storage, and cracks the MD5 — a GPU accomplishes this in seconds — can authenticate into the original owner’s full TP-Link account. That account may control smart locks, mesh networking equipment, and commercial cameras, not just the one used camera they purchased.
The fix, shipped in firmware 2.4.1, replaces the hardcoded RSA keys with per-device EC certificates and adds encrypted credential storage. It also upgrades the embedded TLS library from mbedTLS 2.6.0 — a version released in 2017 — to 2.28.1. According to TP-Link’s official security advisory, the update also adds mTLS authentication to local management ports.
Six Years and 10 Million Users
The vulnerable firmware dates to 2020. These cameras have been sold through Amazon, Best Buy, and Walmart to a customer base that has grown to over 10 million Kasa users. The Mirai botnet proved in 2016 that hardcoded credentials and fleet-wide shared keys in IoT devices create catastrophic attack surfaces at scale. A decade later, the same class of mistake shipped inside a product sold specifically as a home security device.
The disclosure timeline is instructive. BadChemical submitted the initial advisory in January 2026. TP-Link’s first OTA patch attempt in June bricked a test device. A validated fix arrived two weeks later. Public disclosure came July 16 — six months after the initial report, coordinated around the availability of a working patch. That is responsible disclosure, done correctly, and it is worth acknowledging. The scope beyond EC70 and EC71 is not yet confirmed: BadChemical notes that the KC100, KC110, KC115, KC410S, and KC411S share the same protocol architecture and are suspected to carry the same flaws.
This week also brought ClaudeBleed, where a rogue browser extension needs six lines of JavaScript to access Gmail through a misconfigured AI tool, and the MOSAIC attack, demonstrating how AI coding agents can be hijacked through prompt injection. Additionally, the Kasa GPS flaw requires exactly one UDP packet with no credentials. The pattern this week is consistent: products positioned as trustworthy infrastructure are themselves the attack surface.
What to Do Now
If you own a Kasa EC70 or EC71, take these steps immediately:
- Open the Kasa app, navigate to your camera settings, and check for a firmware update. You need version 2.4.0 Build 20260520 or 2.4.1 Build 20260621 or later. Details are on GBHackers’ disclosure summary.
- If you bought a Kasa camera secondhand, treat it as compromised until you factory-reset it, re-provision it under your own account, and confirm the patched firmware version is running.
- Move all IoT cameras onto a dedicated VLAN that blocks lateral access to your primary network. Any device that has ever shared a network segment with a vulnerable Kasa camera had access to your home coordinates.
- If you own a KC100, KC110, KC115, KC410S, or KC411S, watch CybersecurityNews’ coverage and TP-Link’s advisory page for updates. Those models have not been cleared.
Consumer IoT cameras have been leaking credentials, hardcoding keys, and using cleartext local protocols for as long as the category has existed. Buying a camera marketed as a security device does not mean it was designed with security in mind — it means it was designed to be inexpensive, easy to set up, and compatible with Alexa. The Kasa firmware patch is available. Update it, then put these devices on a network they cannot escape from.













