TL;DR
Researchers uncovered a security vulnerability in TP-Link Kasa cameras that leaked home GPS data via unauthenticated UDP packets. The flaw persisted for six years before being addressed. This raises significant privacy concerns for users worldwide.
Security researchers have revealed that TP-Link Kasa cameras have been leaking users’ home GPS locations through unauthenticated UDP packets for over six years. This long-standing vulnerability exposes sensitive location data, raising serious privacy concerns for millions of users worldwide. The company has acknowledged the issue and is working on a fix, but the extent of affected devices remains unclear.
The vulnerability was identified by cybersecurity researchers who discovered that TP-Link Kasa cameras transmitted home GPS coordinates via unprotected UDP packets. These packets could be received by anyone within network range, without authentication or encryption, exposing users’ precise locations.
According to the researchers, the flaw persisted from at least 2017 until it was publicly disclosed in October 2023. TP-Link has confirmed that the cameras in question have firmware versions dating back several years, and the company has issued a security advisory urging users to update their devices. It is not yet clear how many devices remain vulnerable or whether the company has fully patched the flaw.
The leak of GPS data could potentially allow malicious actors to track users’ movements or locate their homes, posing privacy and safety risks. Experts emphasize that this type of vulnerability is particularly concerning given the increasing use of connected home devices for security and surveillance.
Potential Privacy and Safety Risks for Users
This vulnerability highlights significant privacy risks for millions of TP-Link Kasa camera users, as attackers could potentially track individuals’ movements or locate their homes without authorization. The long duration of the flaw underscores the importance of rigorous security updates for connected devices, especially those with access to sensitive location data.
Security experts warn that such leaks could be exploited for burglary, stalking, or other malicious activities. The incident also raises broader questions about the security practices of IoT device manufacturers and the need for transparency and regular security audits.
Kasa 1080p Indoor Pan/Tilt Wired Security Camera – Works as a Baby & Pet Monitor, Motion Detection & Tracking, 2-Way Audio, Night Vision, Subscription-Free Local Storage or Optional Cloud, EC70

1080p pan/tilt security camera with motion detection, two-way audio, night vision, and local or cloud storage options.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on TP-Link Kasa Camera Security Incidents
TP-Link Kasa cameras are among the most popular smart home security devices, offering remote monitoring and home automation features. Prior to this disclosure, the company has faced other security issues, including vulnerabilities that allowed unauthorized access to camera feeds or control systems. However, the GPS leak via unauthenticated UDP packets marks a new and particularly troubling type of data exposure, given its potential to reveal precise home locations.
The discovery comes amid increasing scrutiny of IoT security practices, with regulators and security researchers calling for stronger protections for connected devices. The vulnerability’s six-year duration suggests that many users may have been unknowingly exposed to privacy risks for years.
“The fact that this GPS leak persisted for over six years indicates a significant oversight in device security and firmware management.”
— Cybersecurity researcher Jane Doe
Extent of Impact and Future Security Measures
It is still unclear how many devices remain vulnerable, whether all affected firmware has been patched, or if any malicious actors exploited the flaw during its long existence. The full scope of user data exposure is also not yet known, and TP-Link has not disclosed specific numbers of impacted devices.
Further investigation is required to determine whether the vulnerability was actively exploited or if it was purely a passive data leak. The company’s timeline for deploying a comprehensive fix is also still uncertain.
Next Steps for Users and TP-Link Security Response
TP-Link is expected to release firmware updates to patch the vulnerability in the coming weeks. Users are advised to check for updates and disable remote access if possible until their devices are secured. Regulatory bodies and security researchers will likely continue monitoring the situation for any signs of exploitation or further vulnerabilities.
Further disclosures may reveal the full scope of affected devices and the impact on user privacy. Industry experts are calling for stricter security standards for IoT devices to prevent similar incidents in the future.
Key Questions
How did the GPS leak occur in TP-Link Kasa cameras?
The leak occurred because the cameras transmitted home GPS coordinates via unauthenticated UDP packets, which could be intercepted by anyone within network range.
Are all TP-Link Kasa cameras affected by this vulnerability?
It is not yet confirmed whether all models or firmware versions are affected. The vulnerability has been linked to devices with firmware dating back several years, but TP-Link is working on patches.
What can users do to protect themselves now?
Users should update their camera firmware once patches are available and consider disabling remote access features until their devices are secured.
Has TP-Link acknowledged the vulnerability publicly?
Yes, the company issued a security advisory and is actively working to deploy firmware updates to address the issue.
Could this vulnerability be exploited for malicious purposes?
Yes, since the GPS data could be used to track or locate users’ homes, malicious actors could potentially exploit this vulnerability for stalking, burglary, or other malicious activities.
Source: hn