Article URL: https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/TP-Link_Kasa_EC71/Kasa_EC71.md Comments URL: https://news.ycombinator.com/item?id=48952565 P…

Author: Christopher Childress (BadChemical) Status: Patched, CVE-2026-9770 (RSA/IAM) and CVE-2026-13230 (GPS) remediated in 2.4.1. Vendor: TP-Link Systems Inc. / Kasa Product: Kasa Spot EC71 Firmware Version: 2.3.26 (Build Date: 20240425, Release ID: 33797) Patched Firmware: 2.4.1 CVE: CVE-2026-9770 / CVE-2026-13230 Published: July 16th, 2026 This repository contains proof of concept for patched vulnerabilities in TP-Link Kasa Spot EC71 indoor cameras. This information is published strictly for educational purposes and defensive research. The vendor was contacted in accordance with standard Coordinated Vulnerability Disclosure protocols on January 5, 2026. All three primary findings, fleet-wide RSA key, unsalted MD5 credential storage, and unauthenticated GPS exposure, have been remediated in v2.4.1. All device-specific identifiers, credential hashes, and global private keys have been heavily redacted to prevent abuse. A comprehensive security analysis of the Kasa Spot EC71 revealed multiple vulnerabilities compromising the device's confidentiality, integrity, and availability. The firmware was extracted physically via a CH341A programmer reading directly from the SPI flash chip, followed by active network packet analysis and hardware analysis. Three primary vulnerability chains, cryptographic failures, insecure credential storage, and unauthenticated exposure of precise location data, were confirmed and remediated in v2.4.1 following a multi component architectural redesign spanning six months of coordinated disclosure. The disclosure process included documented triage failures and firmware validation, resulting in a permanently bricked test device that required hardware level recovery. The GPS exposure documented in this advisory has been publicly known since August 2020 across TP-Link's camera product line and since July 2016 for the underlying unauthenticated protocol. TP-Link remediated an identical vulnerability class in the smart plug product line in November 2020, but did not extend that remediation to the camera product line. This advisory documents a pattern of targeted, incremental remediation rather than a comprehensive architectural security review. A secondary market attack path enables recovery of the previous owner's credentials and GPS coordinates from devices returned to factory settings. Note: CVE-2026-9770 was assigned by TP-Link as CNA to cover both findings below. These represent distinct vulnerabilities with separate CWEs and independent attack paths.