4 comments

  • drnick1 1 hour ago
    This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
    • jwrallie 10 minutes ago
      Better to buy devices that can work without internet and just blacklist them at the router level. Price or origin is not a good metric to ensure no leaks.
    • petra 9 minutes ago
      Consumers just don't care about security. It is what it is.
    • WarOnPrivacy 1 hour ago
      > Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.

      Why single out bad Chinese coding? Bad US IoT coding has a longer history.

      • forestry 23 minutes ago
        There’s bad, and then there’s egregious.
      • copperx 59 minutes ago
        All of there IoT devices will be slop coded soon, and I wonder whether that will be an improvement or not. I bet that security will be better.
  • gruez 1 hour ago
    The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).
    • forestry 24 minutes ago
      This level of handwaving makes me suspicious of your motives. Security professionals have been advising against TP-Link devices for years for reasons such as in the OP.
  • BobbyTables2 11 minutes ago
    That disclosure timeline is brutal…
  • BadChemical 6 hours ago
    Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data.

    The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.

    The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.

    Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.