The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).
This level of handwaving makes me suspicious of your motives. Security professionals have been advising against TP-Link devices for years for reasons such as in the OP.
A random post on hacker news isn't going to make a dent in TP-Link's camera marketshare positive or negative. If the GP really has bad motives they wouldn't really accomplish anything with that. But I doubt they do. I use these cams myself too. They're ok if you limit their internet access. I limit all my TP-Link stuff anyway since they suddenly removed local access for their switched power plugs in an auto firmware update.
This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
Honestly, I'd rather it leak my GPS to the Chinese government than the US government. They don't have jurisdiction over me anyway.
> should not be allowed to communicate over the public Internet
It would be a no-go for non-techies. One of the biggest draws to IoT devices for "average Joes" is being able to view and control them from remotely, and they aren't going to have the skills or know-how to set up a VPN correctly with dynamic DNS so that their phone can VPN into their home and then sideload/jailbreak their phone to load a custom app to control it. "It just works from anywhere" is a big sell for them.
There are better solutions, like Apple’s HomeKit. I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub. I didn’t have to set any of this up, it just works when you have the required hardware.
> I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub.
How exactly does this prevent the same kind of issue for Apple devices? Aren't you just trusting that Apple handles your data better than TP-Link? Not saying they don't but routing through another device doesn't really add security on its own.
HomeKit will take care of the VPN/remote access part, sure, but your devices still need to communicate with the HomeKit device, and that's usually over Wi-Fi, which puts the devices on the public internet, and carries the same security risk.
There are various non-internet protocols for IoT devices, none of them good:
* Zigbee: Requires some technical understanding to set up, devices randomly disconnect for hours even when they are 2ft from the coordinator, all-around horrible experience for non-techies
* Non-standard Zigbee variants: even worse
* Matter-over-Thread: horrendously designed from a UX perspective. Easy-to-lose barcodes stuck on cards in the packaging, weird 12-letter codes, and your non-techie cannot understand what the hell Matter or Thread is. Pairing is an absolute nightmare.
Better to buy devices that can work without internet and just blacklist them at the router level. Price or origin is not a good metric to ensure no leaks.
Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data.
The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.
The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.
Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.
It's not the best company but they're cheap.
Why single out bad Chinese coding? Bad US IoT coding has a longer history.
Honestly, I'd rather it leak my GPS to the Chinese government than the US government. They don't have jurisdiction over me anyway.
> should not be allowed to communicate over the public Internet
It would be a no-go for non-techies. One of the biggest draws to IoT devices for "average Joes" is being able to view and control them from remotely, and they aren't going to have the skills or know-how to set up a VPN correctly with dynamic DNS so that their phone can VPN into their home and then sideload/jailbreak their phone to load a custom app to control it. "It just works from anywhere" is a big sell for them.
There are better solutions, like Apple’s HomeKit. I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub. I didn’t have to set any of this up, it just works when you have the required hardware.
How exactly does this prevent the same kind of issue for Apple devices? Aren't you just trusting that Apple handles your data better than TP-Link? Not saying they don't but routing through another device doesn't really add security on its own.
There are various non-internet protocols for IoT devices, none of them good:
* Zigbee: Requires some technical understanding to set up, devices randomly disconnect for hours even when they are 2ft from the coordinator, all-around horrible experience for non-techies
* Non-standard Zigbee variants: even worse
* Matter-over-Thread: horrendously designed from a UX perspective. Easy-to-lose barcodes stuck on cards in the packaging, weird 12-letter codes, and your non-techie cannot understand what the hell Matter or Thread is. Pairing is an absolute nightmare.
The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.
The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.
Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.