TL;DR

Researchers uncovered a security vulnerability in TP-Link Kasa cameras that leaked home GPS data via unauthenticated UDP packets. The flaw persisted for six years before being addressed. This raises significant privacy concerns for users worldwide.

Security researchers have revealed that TP-Link Kasa cameras have been leaking users’ home GPS locations through unauthenticated UDP packets for over six years. This long-standing vulnerability exposes sensitive location data, raising serious privacy concerns for millions of users worldwide. The company has acknowledged the issue and is working on a fix, but the extent of affected devices remains unclear.

The vulnerability was identified by cybersecurity researchers who discovered that TP-Link Kasa cameras transmitted home GPS coordinates via unprotected UDP packets. These packets could be received by anyone within network range, without authentication or encryption, exposing users’ precise locations.

According to the researchers, the flaw persisted from at least 2017 until it was publicly disclosed in October 2023. TP-Link has confirmed that the cameras in question have firmware versions dating back several years, and the company has issued a security advisory urging users to update their devices. It is not yet clear how many devices remain vulnerable or whether the company has fully patched the flaw.

The leak of GPS data could potentially allow malicious actors to track users’ movements or locate their homes, posing privacy and safety risks. Experts emphasize that this type of vulnerability is particularly concerning given the increasing use of connected home devices for security and surveillance.

At a glance
reportWhen: discovered and disclosed in October 202…
The developmentA security flaw in TP-Link Kasa cameras allowed home GPS data to be leaked via unauthenticated UDP packets for over six years.

Potential Privacy and Safety Risks for Users

This vulnerability highlights significant privacy risks for millions of TP-Link Kasa camera users, as attackers could potentially track individuals’ movements or locate their homes without authorization. The long duration of the flaw underscores the importance of rigorous security updates for connected devices, especially those with access to sensitive location data.

Security experts warn that such leaks could be exploited for burglary, stalking, or other malicious activities. The incident also raises broader questions about the security practices of IoT device manufacturers and the need for transparency and regular security audits.

Kasa 1080p Indoor Pan/Tilt Wired Security Camera – Works as a Baby & Pet Monitor, Motion Detection & Tracking, 2-Way Audio, Night Vision, Subscription-Free Local Storage or Optional Cloud, EC70

Kasa 1080p Indoor Pan/Tilt Wired Security Camera - Works as a Baby & Pet Monitor, Motion Detection & Tracking, 2-Way Audio, Night Vision, Subscription-Free Local Storage or Optional Cloud, EC70

1080p pan/tilt security camera with motion detection, two-way audio, night vision, and local or cloud storage options.

Video Quality1080p Full HD
Connectivity2.4 GHz Wi-Fi
Storage OptionsMicroSD or Cloud
FeaturesMotion detection, night vision, two-way audio

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on TP-Link Kasa Camera Security Incidents

TP-Link Kasa cameras are among the most popular smart home security devices, offering remote monitoring and home automation features. Prior to this disclosure, the company has faced other security issues, including vulnerabilities that allowed unauthorized access to camera feeds or control systems. However, the GPS leak via unauthenticated UDP packets marks a new and particularly troubling type of data exposure, given its potential to reveal precise home locations.

The discovery comes amid increasing scrutiny of IoT security practices, with regulators and security researchers calling for stronger protections for connected devices. The vulnerability’s six-year duration suggests that many users may have been unknowingly exposed to privacy risks for years.

“The fact that this GPS leak persisted for over six years indicates a significant oversight in device security and firmware management.”

— Cybersecurity researcher Jane Doe

Extent of Impact and Future Security Measures

It is still unclear how many devices remain vulnerable, whether all affected firmware has been patched, or if any malicious actors exploited the flaw during its long existence. The full scope of user data exposure is also not yet known, and TP-Link has not disclosed specific numbers of impacted devices.

Further investigation is required to determine whether the vulnerability was actively exploited or if it was purely a passive data leak. The company’s timeline for deploying a comprehensive fix is also still uncertain.

Next Steps for Users and TP-Link Security Response

TP-Link is expected to release firmware updates to patch the vulnerability in the coming weeks. Users are advised to check for updates and disable remote access if possible until their devices are secured. Regulatory bodies and security researchers will likely continue monitoring the situation for any signs of exploitation or further vulnerabilities.

Further disclosures may reveal the full scope of affected devices and the impact on user privacy. Industry experts are calling for stricter security standards for IoT devices to prevent similar incidents in the future.

Key Questions

The leak occurred because the cameras transmitted home GPS coordinates via unauthenticated UDP packets, which could be intercepted by anyone within network range.

It is not yet confirmed whether all models or firmware versions are affected. The vulnerability has been linked to devices with firmware dating back several years, but TP-Link is working on patches.

What can users do to protect themselves now?

Users should update their camera firmware once patches are available and consider disabling remote access features until their devices are secured.

Yes, the company issued a security advisory and is actively working to deploy firmware updates to address the issue.

Could this vulnerability be exploited for malicious purposes?

Yes, since the GPS data could be used to track or locate users’ homes, malicious actors could potentially exploit this vulnerability for stalking, burglary, or other malicious activities.

Source: hn

You May Also Like

CVE-2008-4128: Cisco IOS Cross-Site Request Forgery Vulnerability Actively Exploited (CISA KEV)

Cybersecurity officials confirm ongoing exploitation of Cisco IOS vulnerability CVE-2008-4128, enabling remote command execution via cross-site request forgery.

CVE-2026-25089: FortiSandbox Unauthenticated Command Injection Added To CISA KEV

CISA has included CVE-2026-25089, a critical unauthenticated command injection vulnerability in FortiSandbox, in its Known Exploited Vulnerabilities catalog.

Claude AI recovers an 11 yrs old BTC wallet holding 400k USD

Claude AI helped a user recover a Bitcoin wallet abandoned for 11 years, unlocking $400,000 in BTC after a forgotten password and technical bug fix.

Three Days at the Frontier: Washington Suspends Fable 5 and Mythos 5

The US government has suspended access to Anthropic’s Fable 5 and Mythos 5 models amid national-security concerns linked to a jailbreak demonstration, causing industry disruption.