← All stories
● Covered by 1 source · 1 reportHigh impact

TP-Link Kasa cameras leaked GPS for six years; vulnerabilities now patched

Aggregated by BrevFeed security · updated 1h ago
🔖 Save

TP-Link's Kasa Spot EC71 cameras exposed home GPS data via unauthenticated UDP for six years. A patch in firmware version 2.4.1 remedied significant security vulnerabilities that compromised user data.

Key points

Overview of Vulnerabilities

A security analysis of the TP-Link Kasa Spot EC71 revealed critical vulnerabilities that compromised user confidentiality, integrity, and availability. The device faced issues like unauthenticated exposure of GPS data and insecure credential storage, leading to an urgent need for remediation.

Timeline and Discovery

The GPS vulnerability was publicly known since August 2020, while the underlying protocol issue was identified back in July 2016. Despite this, TP-Link only addressed these vulnerabilities last year, indicating a policy of incremental remediation rather than comprehensive overhauls.

Remediation and Impact

The critical flaws were patched in firmware version 2.4.1, marking a significant step towards securing the Kasa EC71 line. However, the time frame of six years highlights potential systemic issues in TP-Link's vulnerability management processes. The vendor's CVSS score for these issues stands at 8.6, indicating the severity of the flaws.

Recovery Risks

There are potential recovery risks associated with factory-reset devices, where previous owners’ credentials and GPS coordinates could be obtained. This highlights the need for users to be vigilant even after firmware updates.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →

Primary sources

GitHub cmc_internal/api GitHub github/collect GitHub BadChemical/IoT-Vulnerability-Research-Public GitHub _private/browser GitHub get-started/accessibility GitHub open-source/sponsors

Reporting from

TP-Link's Kasa Spot EC71 cameras exposed home GPS data via unauthenticated UDP for six years. A patch in firmware version 2.4.1 remedied significant security vulnerabilities that compromised user data.