TP-Link Kasa smart cameras transmitted home GPS coordinates via unencrypted, unauthenticated UDP packets for six years, exposing the physical locations of users to anyone on the network.
The vulnerability affected Kasa EC71 cameras and potentially other models in the lineup. Researchers discovered the cameras sent precise location data through UDP without authentication, allowing attackers to intercept and determine where devices were installed.
The flaw persisted from the cameras' initial release through at least 2024, suggesting a significant gap in TP-Link's security review process. UDP packets can be captured by anyone monitoring network traffic, making the exposure particularly severe for home security devices designed to protect residences.
TP-Link has not yet issued a public statement regarding the vulnerability. Affected users should update firmware immediately once patches become available. This incident highlights ongoing security concerns with IoT devices, where manufacturers frequently prioritize connectivity over baseline encryption and authentication measures.
The research was shared publicly on GitHub, allowing users to assess their own exposure.
A cybercrime crew claims to have breached MyPillow, the bedding company owned by Mike Lindell. The group has not yet disclosed details about the scope of the breach or what data was accessed.
Security researchers have discovered that prompt injection attacks can neutralize malicious AI agents before they execute harmful tasks. The technique, known as "context bombing," exploits vulnerabilities in how AI systems process instructions.
Managed service providers face overwhelming security data volumes. SIEM platforms help MSPs distinguish genuine threats from false alarms, improving visibility and incident response times.
London-based Risk Ledger has secured £24M in Series B funding led by Axiom Equity, bringing its total funding to £33.8M. The firm provides supply chain cyber risk management solutions for organizations.