TP-Link Kasa EC71 cameras leaked home GPS via UDP for 6 years
Original: TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
Why This Matters
IoT home cameras silently exposing GPS data underscores persistent authentication gaps in consumer smart-home devices.
Researcher Christopher Childress disclosed two patched CVEs (CVE-2026-9770, CVE-2026-13230) in TP-Link Kasa Spot EC71 indoor cameras. Firmware 2.3.26 exposed home GPS coordinates and RSA/IAM data over unauthenticated UDP. Fixes were issued in firmware 2.4.1, published July 16, 2026.
Security researcher Christopher Childress (BadChemical) published a full advisory revealing two vulnerabilities in the TP-Link Kasa Spot EC71 indoor security camera running firmware 2.3.26 (build date April 25, 2024). The flaws, assigned CVE-2026-9770 (RSA/IAM credential exposure) and CVE-2026-13230 (GPS location disclosure), allowed any unauthenticated party on the network to query the device over UDP and retrieve the home's precise GPS coordinates as well as authentication-related data. Because the camera firmware line traces back roughly six years, devices across a wide installed base were potentially affected before the patch was released. TP-Link Systems Inc. was notified through coordinated disclosure and released patched firmware version 2.4.1 to address both issues. Childress published proof-of-concept code in a public GitHub repository strictly for educational and defensive research purposes, noting that the vulnerabilities are fully remediated in the latest firmware.