
TL;DR
Security researcher discovers TP-Link Kasa cameras exposed precise home coordinates via unauthenticated UDP - a vulnerability publicly documented since 2020 but only patched in 2026.
A security researcher's six-month coordinated disclosure with TP-Link has culminated in two CVEs that reveal troubling patterns in consumer IoT security. The most striking finding: Kasa cameras have been leaking precise home GPS coordinates via an unauthenticated UDP endpoint since at least 2020 - and TP-Link only patched it in 2026.
A single UDP packet to port 9999 containing {"system":{"get_sysinfo":{}}} returns sub-meter latitude and longitude coordinates, device fingerprints, MAC addresses, and user-assigned device names. No authentication required.
This isn't a novel attack. The TP-Link Smart Home Protocol was publicly documented by softScheck in July 2016. Independent researchers confirmed the GPS leak on KC100 cameras in August 2020. Despite this public knowledge, TP-Link launched a geofencing feature in September 2023 that relies on collecting this exact location data - three years after the vulnerability was documented.
The researcher assessed the CVSS score at 7.1 (High). TP-Link scored it 5.3 (Medium), arguing that location data represents "low confidentiality impact." The researcher disagrees: "Precise home coordinates aren't low confidentiality impact."
The Hacker News discussion (150+ points, 50+ comments) surfaced the usual IoT security debate, but with some sharp observations:
On the "just use VLANs" crowd: Multiple commenters noted that isolating IoT devices on separate networks doesn't help if the device itself is compromised. One commenter pointed out that Matter-over-Thread and Zigbee alternatives have their own UX nightmares - "horrendously designed from a UX perspective. Easy-to-lose barcodes stuck on cards in the packaging, weird 12-letter codes."
On vibecoders and IoT security: A particularly pointed exchange emerged about AI-generated code in IoT firmware. One commenter reported: "Company with a known name vibecoded a dashboard with Claude. Which also hardcoded a password into the client-side of the dashboard, which I caught." Another noted that TP-Link firmware engineers have left LLM conversation histories publicly indexed by search engines.
On vendor response quality: The researcher's disclosure timeline reveals concerning patterns. TP-Link's May 29 triage response referenced a "MD5 hash in reserved field" that doesn't exist in the actual device behavior - suggesting the finding wasn't technically reviewed before being closed.
Newsletter
Get the weekly deep dive
Tutorials on Claude Code, AI agents, and dev tools, delivered free every week.
From the archive
Jul 17, 2026 • 7 min read
Jul 17, 2026 • 7 min read
Jul 17, 2026 • 7 min read
Jul 17, 2026 • 6 min read
The researcher's timeline is a case study in coordinated disclosure challenges:
Six months from initial report to patch. The device-bricking beta firmware is particularly troubling - it suggests insufficient QA even on security-critical updates.
CVE-2026-9770 (CVSS 8.6) bundles two findings:
Hardcoded RSA keys: Every device running this firmware build shares identical RSA keys - a legacy 1024-bit key from 2014 and an active 2048-bit key from 2021. Both are extractable via a $3-20 SPI flash programmer. Firmware 2.4.1 switches to per-device EC keys provisioned through TP-Link's infrastructure.
Insecure credential storage: User cloud credentials stored as unsalted MD5 hashes with plaintext email addresses. TP-Link ID credentials authenticate across the entire TP-Link ecosystem - Kasa, Tapo, Deco, VIGI - including physical access control devices.
Perhaps the most concerning finding: factory reset doesn't clear previous owner data.
The complete attack chain against secondhand devices:
This means buying a used Kasa camera exposes the previous owner to credential theft and physical location disclosure - even if they performed a factory reset before selling.
The researcher documented additional issues that TP-Link closed without remediation:
These remain unpatched in the current firmware.
The researcher notes a policy contradiction: TP-Link's privacy policy restricts precise location collection to users who enable geofencing. However, GPS coordinates are collected at account creation and stored permanently regardless of geofencing status.
This creates potential CCPA compliance issues - collecting data beyond what's disclosed in the privacy policy, and retaining it without the stated justification.
This case illustrates several recurring patterns:
Vulnerability shelf life: A publicly documented vulnerability from 2020 went unpatched until 2026. IoT vendors don't proactively scan for known issues in their protocol implementations.
Disclosure friction: Six months, device bricking, and triage responses that don't match device behavior. Security researchers face significant barriers to getting fixes deployed.
Design-time mistakes: Fleet-wide cryptographic keys and unsalted password hashes aren't bugs - they're architecture decisions that are expensive to fix. The "architectural redesign" extension request suggests TP-Link knew this was deep surgery.
Secondary market externalities: Factory reset not clearing sensitive data creates ongoing risk for users who sell devices. This isn't unique to TP-Link, but it's rarely documented this clearly.
If you're running affected firmware:
The full security advisory is available on GitHub with complete technical details.
Read next
A security researcher intercepted Grok Build's network traffic and found it uploads entire repositories - including .env files with secrets - to xAI servers. Here's what the data shows.
6 min readDays after getting caught uploading entire codebases to xAI servers, Grok Build is now open source on GitHub. The HN community isn't convinced it's enough.
6 min readA developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API keywords - using unicode apostrophe swaps and date format changes.
7 min readTechnical content at the intersection of AI and development. Building with AI agents, Claude Code, and modern dev tools - then showing you exactly how it works.
Set up Codex Chronicle on macOS, manage permissions, and understand privacy, security, and troubleshooting.
Getting StartedA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
ai-development
Days after getting caught uploading entire codebases to xAI servers, Grok Build is now open source on GitHub. The HN com...

A security researcher intercepted Grok Build's network traffic and found it uploads entire repositories - including .env...

A developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API key...

Voice cloning now requires just 3 seconds of audio to impersonate someone. With $893M in reported losses, detection has...

Security researchers disclosed a Cursor vulnerability that auto-executes malicious git.exe files from repos - after wait...

Open-source tool gives Claude Code, Codex, and other agents their own isolated Linux VM on your machine - network firewa...

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.