Cybersecurity 28 min ago0Add to bookmarks

An independent researcher publishes the analysis of a Kasa camera that, since 2019, has been responding to unsigned UDP requests and disclosing the GPS coordinates of the home. A class of bug that should have disappeared.
A public GitHub repository (BadChemical/IoT-Vulnerability-Research-Public), relayed on Hacker News, documents a vulnerability affecting the TP-Link Kasa EC71 camera, a consumer Wi-Fi indoor camera.
The documented behavior:
Impact: geolocation of the home of any user of the affected camera, exploitable on the LAN at minimum, exploitable via the Internet if the port is open (poor NAT configuration, aggressive UPnP, poorly segmented guest networks).
Duration of exposure: according to the report, the function has been present since the initial firmware, approximately six years.
This type of bug falls into the category CWE-306 (Missing Authentication for Critical Function) - a classic in consumer IoT, but which, in 2026, has no excuse. Two design errors are compounded:
The report does not give an assigned CVE to date in the public excerpts - to be monitored on TP-Link advisories and on NVD. The vendor may have been notified; the status of the patch is not confirmed at the time of writing.
In practice, the most exposed person is the one who uses their camera at home and shares their Wi-Fi (shared apartment, Airbnb, shared office). The abusive scenario: a guest retrieves the GPS coordinates from their phone by typing a few UDP packets.
Immediate action box:
Kasa EC71 or variants of the same firmware. The model badge is on the back or under the camera.The initial report is public:
We will monitor the appearance of a CVE and a corrective firmware. If the vulnerability is confirmed without an available patch, the most cautious recommendation remains to unplug the camera or isolate it on a VLAN without outgoing routes.
To remember: when a connected object listens on UDP without authentication, it is probably in default. This specific case is not the worst scenario (no RCE, no exposed video stream), but the geolocation of a home is not data to be taken lightly.
Article produced by artificial intelligence, reviewed under human editorial control.