July 17, 2026
Caught on cam: the comments meltdown
TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
Home camera drama explodes as users roast TP-Link over years-long location leak
TLDR: TP-Link patched a Kasa camera flaw that could reveal a home’s location and leave old owner data behind, after a messy six-month disclosure. Commenters split between calling it a privacy nightmare and saying the danger was overhyped, but nearly everyone agreed the vendor response looked bad.
This story landed like catnip for the internet’s gadget skeptics: a TP-Link Kasa indoor camera was found to be giving away a home’s GPS location over the local network for six years, and the patch only arrived now. But the real fireworks were in the comments, where people weren’t just alarmed — they were furious, sarcastic, and deeply unimpressed. Researcher BadChemical described a six-month disclosure saga featuring a botched review, a test update that allegedly bricked a device, and the extra-creepy detail that even a factory reset didn’t fully wipe old owner data. That detail especially had readers clutching their pearls.
The hottest split in the thread? One camp basically screamed, “This is why you never trust cheap internet-connected home gadgets.” Another camp rolled its eyes at the scary wording, arguing that “leaked home GPS” sounds way more apocalyptic than the real-world risk if the bug mostly works inside your home network. Translation for normal people: some commenters think this is a full-on privacy horror show, while others think the headline is doing a bit of Hollywood. Still, even the skeptics admitted the disclosure timeline looked rough, with one user summing it up like a reaction meme: “That disclosure timeline is brutal…”
And yes, there was a little meta-drama too: one commenter dismissed the report as looking AI-generated before admitting they didn’t fully read it — the kind of drive-by take that instantly turns any tech thread into a popcorn event.
Key Points
- •The advisory says TP-Link Kasa Spot EC71 firmware 2.3.26 contained multiple vulnerabilities, including unauthenticated GPS exposure, fleet-wide RSA key issues, and unsalted MD5 credential storage.
- •The reported issues were patched in firmware version 2.4.1, with CVEs assigned as CVE-2026-9770 and CVE-2026-13230.
- •The researcher states the device was analyzed through physical firmware extraction using a CH341A programmer, SPI flash access, and network packet and hardware analysis.
- •The advisory says the GPS exposure had been publicly known across TP-Link’s camera line since August 2020 and that the underlying unauthenticated protocol had been known since July 2016.
- •The report describes a secondary-market attack path in which a factory-reset device could still reveal a previous owner’s credentials and GPS coordinates, and includes a disclosure timeline beginning January 5, 2026.