TP-Link says they use encryption to protect your data, but security researchers found their smart plug communicated using a cipher so weak it could be reversed by anyone on your Wi-Fi network. Instead of fixing the encryption, TP-Link removed local control entirely, forcing all communication through their cloud servers instead. TP-Link claims to use TLS encryption (the same technology that protects your online banking), but security researchers found the device doesn't actually check if it's talking to the real TP-Link server. This means anyone on your network could pretend to be TP-Link's server, intercept all your data, and even take control of your plug — completely defeating the encryption TP-Link promised.
What they claim: Kasa privacy policy states: 'We have implemented measures, including encryption and TLS technology, designed to secure your personal data.'
What we found: CVE-2024-46548: The Kasa KP125M (same product family) was discovered to improperly validate TLS certificates in firmware v1.0.3, allowing man-in-the-middle attackers to eavesdrop on all communications and access sensitive information. The device did not verify the remote server's certificate chain, rendering the claimed TLS protection meaningless. An attacker could intercept traffic, inject commands, and take control of the device.
What they claim: The KP125 is a smart plug — a device that switches power on/off and monitors energy consumption. It has no microphone, speaker, or audio hardware. FCC filing 2AXJ4KP125 confirms only a Wi-Fi board and power/relay board.
What we found: The Kasa Smart app (com.tplink.kasa_android v3.3.551) requests the RECORD_AUDIO permission (classified as 'Dangerous' by Google). The KP125 has no audio input or output hardware — it is a wall plug with a relay and an energy monitoring IC. This permission is unnecessary for controlling a smart plug.
What they claim: The KP125 is a stationary device permanently plugged into a wall socket. It does not move and its location is inherently known — it is wherever the user's home is.
What we found: The Kasa Smart app requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and ACCESS_COARSE_LOCATION permissions. The privacy policy states location is collected for 'Geofencing Smart Action' using 'precise location (longitude and latitude)'. However, ACCESS_BACKGROUND_LOCATION means the app tracks your phone's GPS position even when you're not using the app — continuous surveillance of your movements, ostensibly to trigger automations when you leave or arrive home.
What they claim: Kasa privacy policy states: 'We have implemented measures, including encryption and TLS technology, designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure.'
What we found: The TP-Link Smart Home Protocol on TCP port 9999 used XOR autokey encryption with a hardcoded initialization vector of 171 — a trivially reversible cipher providing no real security. Iowa State research ('Storming the Kasa?', 2019) confirmed no command authentication and commands accepted without any device state verification. TP-Link later removed port 9999 entirely rather than implementing proper encryption.
What they claim: The KP125 product page markets 'Energy Monitoring — Monitor connected device's real-time and historical power consumption' as a user-facing feature with no mention of third-party data sharing.
What we found: Kasa privacy policy section 4.2 discloses: 'OhmConnect, energy saving project platform, for the energy consumption statistics. We provide account credentials, device list, device status, device alias and device usage power data with OhmConnect based on your consent.' This means granular power consumption data — which reveals exactly which appliances you use, when, and for how long — can be shared with a third party along with your account credentials.
What they claim: Kasa privacy policy section 5 states security measures protect against 'unauthorized access' and recommends users 'select a strong password' and use '2 Factor Authentication (2FA)' to protect their accounts.
What we found: CVE-2024-46549: The TP-Link MQTT Broker and API gateway allows attackers to establish connections by impersonating devices owned by other users (CVSS 7.6). This is a server-side vulnerability — no amount of strong passwords or 2FA on the user's part can prevent it. The security advice given to users is irrelevant to a vulnerability in TP-Link's own cloud infrastructure.
What they claim: Kasa privacy policy section 5 claims: 'We have implemented measures...designed to secure your personal data from accidental loss and from unauthorized access.'
What we found: CVE-2024-35495: The telemetry component generates a predictable byte pattern (331-123-54) when reporting device state to the cloud. Network observers can determine whether your plug is on or off — and thus whether connected appliances are in use — without decrypting the traffic. This leaks occupancy patterns and daily routines to anyone monitoring network traffic.
What they claim: TP-Link operates Kasa and Tapo as completely separate product lines with different apps (Kasa Smart vs Tapo), different accounts, different privacy policies, and different branding, giving the impression of independent security postures.
What we found: TP-Link's own security advisory (FAQ 3722) groups 'Tapo and Kasa Devices and apps' together for CVE-2023-38906, CVE-2023-38908, and CVE-2023-38909. CVE-2024-46548 and CVE-2024-35495 both affect the Kasa KP125M and Tapo P125M simultaneously. The Kasa KP125 uses the same tplinkcloud.com endpoints as Tapo devices. Despite separate branding, both product lines share the same cloud infrastructure, same vulnerabilities, and same security weaknesses.
What they claim: Kasa privacy policy section 5 states: 'We have implemented measures...designed to secure your personal data' and that TP-Link 'restrict[s] the number of staff in charge with access to your personal data' and 'frequently conduct[s] training and educations.'
What we found: TP-Link's security advisory (FAQ 3722, published 2023-08-23, updated through 2024-10-24) warns: 'vulnerabilities will remain if you do not take all the recommended actions.' This places the burden of patching manufacturer security flaws on end users. Many smart plug users are non-technical consumers who may never check for firmware updates. The advisory was updated four times over 14 months, suggesting ongoing vulnerability management challenges despite claims of proactive security measures.
What they claim: Kasa privacy policy section 2 discloses collection of: TP-Link ID, precise location (longitude/latitude), IMEI number, device usage behavior, app activity data, device logs, photo clicks, volume, video, voice, image quality settings. Section 7 states users can 'Request account and data deletion.'
What we found: The privacy policy provides no data retention period anywhere in the document. While CCPA deletion rights are mentioned, no timeline for compliance is specified. The policy states data may be transferred in case of sale or acquisition ('customer information may be one of the assets that is transferred'). Combined with the breadth of data collected — precise GPS location, device usage patterns, energy consumption data, IMEI numbers — the absence of a retention limit means TP-Link can indefinitely store detailed records of your home life, daily routines, and movements.