This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
Better to buy devices that can work without internet and just blacklist them at the router level. Price or origin is not a good metric to ensure no leaks.
Not doxing myself, but... Company with a known name vibecoded a dashboard with Claude. Which also hardcoded a password into the client-side of the dashboard, which I caught.
Honestly, I'd rather it leak my GPS to the Chinese government than the US government. They don't have jurisdiction over me anyway.
> should not be allowed to communicate over the public Internet
It would be a no-go for non-techies. One of the biggest draws to IoT devices for "average Joes" is being able to view and control them from remotely, and they aren't going to have the skills or know-how to set up a VPN correctly with dynamic DNS so that their phone can VPN into their home and then sideload/jailbreak their phone to load a custom app to control it. "It just works from anywhere" is a big sell for them.
There are better solutions, like Apple’s HomeKit. I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub. I didn’t have to set any of this up, it just works when you have the required hardware.
HomeKit will take care of the VPN/remote access part, sure, but your devices still need to communicate with the HomeKit device, and that's usually over Wi-Fi, which puts the devices on the public internet, and carries the same security risk.
There are various non-internet protocols for IoT devices, none of them good:
* Zigbee: Requires some technical understanding to set up, devices randomly disconnect for hours even when they are 2ft from the coordinator, all-around horrible experience for non-techies
* Non-standard Zigbee variants: even worse
* Matter-over-Thread: horrendously designed from a UX perspective. Easy-to-lose barcodes stuck on cards in the packaging, weird 12-letter codes, and your non-techie cannot understand what the hell Matter or Thread is. Pairing is an absolute nightmare.
Requires no technical understanding. At least not more than e.g. a WIFI router.
> devices randomly disconnect for hours even when they are 2ft from the coordinator,
You present this like a fact. But it is at most an anecdote. I present you a different anecdote: I have ~30 zigbee devices, in two different houses (first a house with concrete floors and cellar and level 1..3) and now one old woodwork structure house with 2 floors. Nowhere did I had even half an hour of disconnection.
> all around-horrible
... excellent experience even for my ex-spouse, which is/was non-techie.
However, that you present Zigbee here at all is weird. Zigbee doesn't have any way to transport a camera stream. It's mean for low-powered battery devices. My temperature sensors got a 1500mAh AAA chargeable batteries and they lasts now for over one year. Note that I have sensors from ~ 15 different brands. Mostly battery powered sensors and mains power switchable plugs.
I also enjoy that these Zigbee devices are by design completely disconnected from any IP traffic. This, and their (intentional) low data rate make them almost impossible to misuse. E.g. as denial-of-service originators or amplifiers.
It's like you present WIFI as long-range thingy but actually you'd want LORA for that. I'm not assuming that knowing for what kind of usage a tech was designed as "needing technical understanding". After all, no one would claim "you need technical understanding" to know that you better use a truck instead of a Porsche Cayman to transport 50 cubic meters of sand.
> Nowhere did I had even half an hour of disconnection.
Well my garage door opener sensor has been disconnected for two 30 minute gaps today and my plant humidity sensors go offline for 2 weeks at a time.
So yeah, it's not ready for prime time.
> LORA
No, let's not even go there. Tech nerd protocol here that's an awkward middle ground that creates even more problems. Average Joes aren't going to set that crap up.
Are you using a phoscon coordinator? ConBee 2 has a lot of firmware problems in my experience.
There are also some devices which advertise ZigBee compatibility but the manufacturers don't seem to test them against coordinators other than their own (and ConBee 2 seems to have the most problems in this regard).
The protocol is complex, they all are, implementing it correctly isn't a given, but I think the issues people have are more often a factor of how long a protocol has been in use than any fundamental aspect of it.
As soon as cheap hardware manufacturers get on board you get this problem.
Quality hardware works fine with ZigBee. It's by no means perfect technology, if you want that, use copper wires, but it doesn't work as badly as you claim if you are not unlucky with coordinators and devices.
> I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub.
How exactly does this prevent the same kind of issue for Apple devices? Aren't you just trusting that Apple handles your data better than TP-Link? Not saying they don't but routing through another device doesn't really add security on its own.
The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).
It sounds like you are blaming the user for providing data that a service can leak. That's like blaming a user for writing personal emails when faced with an email provider that leaks emails.
Really enjoying the picture of this user who logs into his router and decides that all unsolicited network traffic from the internet should go to his network camera. Absolute legend. God amongst men.
Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data.
The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.
The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.
Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.
This underscores the principle that IoT devices should not be allowed to communicate over the public Internet. Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
Better to buy devices that can work without internet and just blacklist them at the router level. Price or origin is not a good metric to ensure no leaks.
> Pretty much all cheap, Chinese-made hardware of this kind has intentional or unintentional security holes waiting to be exploited.
Why single out bad Chinese coding? Bad US IoT coding has a longer history.
There’s bad, and then there’s egregious.
Plenty of US companies have egregious vulnerabilities
All of there IoT devices will be slop coded soon, and I wonder whether that will be an improvement or not. I bet that security will be better.
> I bet that security will be better.
Not doxing myself, but... Company with a known name vibecoded a dashboard with Claude. Which also hardcoded a password into the client-side of the dashboard, which I caught.
I reckon security will be about the same.
> All of there IoT devices will be slop coded soon
Soon?
I've already seen multiple of TP-Link's firmware engineers leave their LLM history public and indexed by search engines.
It's quite obviously them as well.
> This underscores the principle that IoT devices should not be allowed to communicate over the public Internet.
TP-Link is a prominent maker of network hardware, including home and mesh routers.
Consumers just don't care about security. It is what it is.
There is no reasonable way to assess security for the average consumer.
Even if there’d be a way, there’s no culture of asking questions about how things work, especially outside the single “happy” path.
> Chinese-made hardware
Honestly, I'd rather it leak my GPS to the Chinese government than the US government. They don't have jurisdiction over me anyway.
> should not be allowed to communicate over the public Internet
It would be a no-go for non-techies. One of the biggest draws to IoT devices for "average Joes" is being able to view and control them from remotely, and they aren't going to have the skills or know-how to set up a VPN correctly with dynamic DNS so that their phone can VPN into their home and then sideload/jailbreak their phone to load a custom app to control it. "It just works from anywhere" is a big sell for them.
> It would be a no-go for non-techies.
There are better solutions, like Apple’s HomeKit. I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub. I didn’t have to set any of this up, it just works when you have the required hardware.
HomeKit will take care of the VPN/remote access part, sure, but your devices still need to communicate with the HomeKit device, and that's usually over Wi-Fi, which puts the devices on the public internet, and carries the same security risk.
There are various non-internet protocols for IoT devices, none of them good:
* Zigbee: Requires some technical understanding to set up, devices randomly disconnect for hours even when they are 2ft from the coordinator, all-around horrible experience for non-techies
* Non-standard Zigbee variants: even worse
* Matter-over-Thread: horrendously designed from a UX perspective. Easy-to-lose barcodes stuck on cards in the packaging, weird 12-letter codes, and your non-techie cannot understand what the hell Matter or Thread is. Pairing is an absolute nightmare.
> devices randomly disconnect for hours even when they are 2ft from the coordinator
I don't think that's normal. Like, to the point where I'm wondering if you have a bad opinion of the whole protocol because you got a faulty device.
> Zigbee
Requires no technical understanding. At least not more than e.g. a WIFI router.
> devices randomly disconnect for hours even when they are 2ft from the coordinator,
You present this like a fact. But it is at most an anecdote. I present you a different anecdote: I have ~30 zigbee devices, in two different houses (first a house with concrete floors and cellar and level 1..3) and now one old woodwork structure house with 2 floors. Nowhere did I had even half an hour of disconnection.
> all around-horrible
... excellent experience even for my ex-spouse, which is/was non-techie.
However, that you present Zigbee here at all is weird. Zigbee doesn't have any way to transport a camera stream. It's mean for low-powered battery devices. My temperature sensors got a 1500mAh AAA chargeable batteries and they lasts now for over one year. Note that I have sensors from ~ 15 different brands. Mostly battery powered sensors and mains power switchable plugs.
I also enjoy that these Zigbee devices are by design completely disconnected from any IP traffic. This, and their (intentional) low data rate make them almost impossible to misuse. E.g. as denial-of-service originators or amplifiers.
It's like you present WIFI as long-range thingy but actually you'd want LORA for that. I'm not assuming that knowing for what kind of usage a tech was designed as "needing technical understanding". After all, no one would claim "you need technical understanding" to know that you better use a truck instead of a Porsche Cayman to transport 50 cubic meters of sand.
> Nowhere did I had even half an hour of disconnection.
Well my garage door opener sensor has been disconnected for two 30 minute gaps today and my plant humidity sensors go offline for 2 weeks at a time.
So yeah, it's not ready for prime time.
> LORA
No, let's not even go there. Tech nerd protocol here that's an awkward middle ground that creates even more problems. Average Joes aren't going to set that crap up.
Are you using a phoscon coordinator? ConBee 2 has a lot of firmware problems in my experience.
There are also some devices which advertise ZigBee compatibility but the manufacturers don't seem to test them against coordinators other than their own (and ConBee 2 seems to have the most problems in this regard).
The protocol is complex, they all are, implementing it correctly isn't a given, but I think the issues people have are more often a factor of how long a protocol has been in use than any fundamental aspect of it.
As soon as cheap hardware manufacturers get on board you get this problem.
Quality hardware works fine with ZigBee. It's by no means perfect technology, if you want that, use copper wires, but it doesn't work as badly as you claim if you are not unlucky with coordinators and devices.
> I’m able to watch a camera that has no internet access because it passed through my Apple TV, which serves as a home hub.
How exactly does this prevent the same kind of issue for Apple devices? Aren't you just trusting that Apple handles your data better than TP-Link? Not saying they don't but routing through another device doesn't really add security on its own.
The report seems obviously AI generated, so I can't be bothered to read in its entirety, but based on my quick skim, "leaked home GPS" makes it sound worse than it is. Unless you're dumb enough to set DMZ on this device, this won't be exposed to the internet, and if it's LAN only, don't you already know the location? Even for a remote attacker who somehow got LAN access remotely, they can probably deduce the location through other means (eg. using crowdsourced wifi databases).
> Unless you're dumb enough to (...)
It sounds like you are blaming the user for providing data that a service can leak. That's like blaming a user for writing personal emails when faced with an email provider that leaks emails.
Really enjoying the picture of this user who logs into his router and decides that all unsolicited network traffic from the internet should go to his network camera. Absolute legend. God amongst men.
This user doesn’t know what they’re enabling, they’re following steps from a blog post or something to allow access from outside their home.
DMZs as a solution to port forwarding issues have been a misunderstood part of online games troubleshooting for at least 20 years.
That disclosure timeline is brutal…
Why do people keep buying all this garbage and putting it in their homes?
Six months of coordinated disclosure on a TP-Link Kasa camera resulted in two CVEs, a triage failure where the vendor described a vulnerability that doesn't exist in the reported payload, a beta patch that permanently bricked my test device, and a factory reset that doesn't clear previous owner data.
The GPS finding (CVE-2026-13230) has been publicly documented on this device class since 2020. A single UDP packet returns sub-meter home coordinates with no authentication required. TP-Link scored it 5.3 medium. My independent assessment is 7.1 high. Precise home coordinates aren't low confidentiality impact.
The credential finding (CVE-2026-9770) covers a fleet wide RSA key and unsalted MD5 TP-Link ID credentials. Same credentials provide global authentication across the TP-Link ecosystem.
Factory reset on a secondhand device doesn't clear the data. Connecting to the device's soft AP during setup and sending a single UDP packet returns the previous owner's GPS coordinates.
Did they pay you anything at least, for doing their work?