TP-Link Kasa EC71: Cameras exposed home geolocation via unauthenticated UDP for six years

Cybersecurity just now0Add to bookmarks

TP-Link Kasa EC71: Cameras exposed home geolocation via unauthenticated UDP for six years
Illustration : Momiji Shirogane

An independent researcher publishes the analysis of a Kasa camera that, since 2019, has been responding to unsigned UDP requests and disclosing the GPS coordinates of the home. A class of bug that should have disappeared.

Facts

A public GitHub repository (BadChemical/IoT-Vulnerability-Research-Public), relayed on Hacker News, documents a vulnerability affecting the TP-Link Kasa EC71 camera, a consumer Wi-Fi indoor camera.

The documented behavior:

  • The camera listens on a local UDP port without authentication
  • A crafted UDP request triggers a response containing GPS coordinates stored in the camera (probably from the mobile app during initial association - the report does not detail the precise source of these coordinates, but the order of magnitude of precision and the context point to this origin)
  • No source limit: if the UDP packet can reach the camera (local network, or external network if the device is exposed), the information leaks

Impact: geolocation of the home of any user of the affected camera, exploitable on the LAN at minimum, exploitable via the Internet if the port is open (poor NAT configuration, aggressive UPnP, poorly segmented guest networks).

Duration of exposure: according to the report, the function has been present since the initial firmware, approximately six years.

Analysis

This type of bug falls into the category CWE-306 (Missing Authentication for Critical Function) - a classic in consumer IoT, but which, in 2026, has no excuse. Two design errors are compounded:

  1. Listening in the clear on local UDP is acceptable for service discovery (mDNS, SSDP), not for returning sensitive data.
  2. Storing precise geolocation in the firmware of a connected object without an obvious functional need (a camera knows it is at your home, no need for GPS coordinates) is a design flaw in the sense of GDPR: data minimization not respected.

The report does not give an assigned CVE to date in the public excerpts - to be monitored on TP-Link advisories and on NVD. The vendor may have been notified; the status of the patch is not confirmed at the time of writing.

Who is affected

  • Owners of TP-Link Kasa EC71 cameras, potentially other Kasa models sharing the same base firmware (to be confirmed by the researcher)
  • Attacker on the same Wi-Fi network (poorly isolated guest, hotel, shared apartment, building with shared Wi-Fi): trivial exploitation
  • Internet attacker: only if the concerned UDP port is reachable from the outside (poor NAT/UPnP configuration)

In practice, the most exposed person is the one who uses their camera at home and shares their Wi-Fi (shared apartment, Airbnb, shared office). The abusive scenario: a guest retrieves the GPS coordinates from their phone by typing a few UDP packets.

What to do (To do now)

Immediate action box:

  1. Check the model of your Kasa cameras: Kasa EC71 or variants of the same firmware. The model badge is on the back or under the camera.
  2. Update the firmware via the Kasa Smart app: Menu → Device Settings → Firmware Update. If a patch exists (to be verified with TP-Link), apply it.
  3. Segment the IoT network: on a modern router (OpenWrt, UniFi, Firewalla, MikroTik), create a dedicated IoT VLAN without access to the main VLAN. Your connected objects do not need to talk to your laptop.
  4. Check that no UDP port is open to the Internet: on your box, disable UPnP until there is an explicit need. Control the NAT table.
  5. More radical decision: replace with a camera that documents its threat model (Reolink, Ubiquiti UniFi Protect, or a self-hosted solution like Frigate + RTSP IP camera).

Sources and follow-up

The initial report is public:

  • BadChemical/IoT-Vulnerability-Research-Public on GitHub
  • Hacker News discussion: to be consulted for technical exchanges and TP-Link feedback

We will monitor the appearance of a CVE and a corrective firmware. If the vulnerability is confirmed without an available patch, the most cautious recommendation remains to unplug the camera or isolate it on a VLAN without outgoing routes.

To remember: when a connected object listens on UDP without authentication, it is probably in default. This specific case is not the worst scenario (no RCE, no exposed video stream), but the geolocation of a home is not data to be taken lightly.

Resources — try it

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

5 people liked this article

Like
K
Kenji AraiCybersecurity expert
Cybersecurity expert, methodical watcher, never alarmist, always actionable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio Geek Kitsune
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information