Three Critical Vulnerabilities in Kasa Spot EC71
A comprehensive security analysis of the TP-Link Kasa Spot EC71 indoor camera (firmware 2.3.26) uncovered three distinct vulnerabilities that together expose device owners to privacy invasion, account takeover, and potential physical security risks. The findings, published by researcher Christopher Childress (BadChemical) on GitHub, detail a six-year history of unauthenticated GPS leakage and cryptographic failures that were only fully remediated in firmware 2.4.1.
Finding 1: Hardcoded Fleet-Wide RSA Private Keys
The firmware contains two complete RSA key/certificate pairs across two SquashFS layers. The primary SquashFS holds a legacy 1024-bit key/cert pair issued by TPRI-CA in 2014 (expired July 2024, signed with SHA1). The secondary SquashFS layer contains the active 2048-bit RSA key/cert pair issued by CN=TP-Link in 2021 (valid until July 2031, signed with SHA256). Both pairs are fleet-wide—identical across all EC71 devices running this firmware build. The device serves the 2021 certificate at runtime.
Impact: Any attacker with physical access to a single EC71 can extract both private keys from the SPI flash chip using a CH341A programmer. The active 2048-bit key is then valid for all devices on the same firmware. This enables Man-in-the-Middle attacks on local device-to-app communication if the traffic doesn't route through the cloud. The researcher noted that ARP spoofing attempts didn't intercept data, suggesting primary communication routes through the cloud, but the key extraction remains a serious cryptographic failure.
Finding 2: Insecure Storage of User Passwords (Unsalted MD5)
User cloud account credentials are stored in config/account as an unsalted MD5 hash across two filesystem partitions. The read-only SquashFS contains factory default credentials (admin/admin). At runtime, the jffs2 overlay overwrites this with the user's TP-Link ID email (plaintext) and password (unsalted MD5).
Cross-Domain Impact: TP-Link ID is a unified authentication service across all TP-Link products (Deco, Kasa, Tapo, Tether, Omada, VIGI). Cracking an unsalted MD5 hash is trivial with modern rainbow tables or GPU clusters. An attacker who compromises one device can take over the user's account on all TP-Link platforms, including Tapo smart locks (physical access bypass), Deco mesh networks (full network takeover), or VIGI commercial surveillance.
Finding 3: Unauthenticated Precise GPS Exposure (CVE-2026-13230)
A single unauthenticated UDP packet containing {"system":{"get_sysinfo":{}}} sent to port 9999 returns a full JSON response with precise GPS coordinates, unique hardware IDs (oemId, hwId, deviceId, mac, mic_mac), user-assigned device alias, and full firmware version. The data is protected only by a trivial XOR cipher that Wireshark decodes natively. No authentication, session token, or prior device setup is required.
The GPS coordinates are sourced from the mobile device at account creation and stored permanently in the device's firmware (config/location). They do not rotate (manual syncing is available), providing a static record of the owner's home location.
Timeline of Negligence
This vulnerability class has been public since July 2016, when softScheck published reverse engineering of the HS110 smart plug, explicitly noting "No authentication: Anybody on the local network can turn the Smart Plug on and off, reset it or render it inoperable." In August 2020, independent research documented identical unauthenticated GPS exposure on the Kasa KC100 camera. TP-Link patched the smart plug line in November 2020 but did not extend the fix to cameras until this disclosure.
The coordinated disclosure process (Jan–Jul 2026) included a triage failure where the vendor referenced a non-existent MD5 hash field, and a beta firmware (2.4.00) that bricked the test device permanently. The final patched firmware 2.4.1 was validated on June 25, 2026, and rolled out over 1.5–2 weeks.
Practical Exploitation
On a local network, an attacker can run:
echo '{"system":{"get_sysinfo":{}}}' | nc -u 9999
The response contains latitude/longitude, device IDs, and firmware version in plaintext after XOR decoding. For credential extraction, physical SPI flash access is required, but the unsalted MD5 hash can be cracked offline.
Remediation
Firmware 2.4.1 patches all three findings: fleet-wide RSA keys are replaced with per-device keys, credentials are stored using salted hashing (details not disclosed), and the UDP endpoint now requires authentication. Users should update immediately via the Kasa app. Factory-reset devices may still expose old credentials if not wiped properly—the researcher notes a secondary market attack path where previous owner credentials and GPS can be recovered.
Why This Matters
For developers, this is a textbook case of how not to handle IoT security: hardcoded keys, unsalted hashes, and unauthenticated endpoints that persist for years despite public knowledge. It also highlights the dangers of unified authentication across product lines—a single weak point cascades into full ecosystem compromise.





