TP-Link says your camera videos are protected by strong encryption, but researchers found that every single Tapo C200 camera in the world shares the same secret key. This is like a lock manufacturer giving every customer the same key — anyone who knows the key can watch your camera feed. TP-Link offers a 'privacy mode' that physically covers the lens, but critical security flaws let attackers take complete control of your camera remotely. A hacker could turn the camera on without you knowing, redirect its video feed to their own server, or access recordings you thought were safely stored on your SD card.
What they claim: TP-Link's Tapo privacy marketing page claims the camera uses 'AES 128-bit encryption' for data storage and 'TLS 1.2 encryption protocol' for data transmission, positioning these as strong security measures.
What we found: Security research (evilsocket, December 2025) discovered that the Tapo C200 firmware embeds a hardcoded SSL private key shared identically across ALL Tapo C200 devices. This means any network observer can decrypt the supposedly 'TLS 1.2 encrypted' HTTPS traffic without physical device access. CVE-2023-38907 further confirmed weak CBC-AES128 encryption allows traffic interception.
What they claim: The Tapo companion app (com.tplink.iot) requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, and NEARBY_WIFI_DEVICES permissions, which could be justified for camera setup via Wi-Fi discovery.
What we found: The firmware's scanApList method exposes all nearby WiFi SSIDs, BSSIDs, and signal strength without authentication (evilsocket research, 2025). Combined with the app's fine location and background location permissions, this creates a persistent location tracking capability — the camera itself can be physically located to within a few meters via WiFi positioning APIs, and the app tracks location even in the background.
What they claim: TP-Link's privacy policy states data collection includes 'IP address, MAC address, access times, location, mobile device information' and data is shared with unnamed 'business partners' and 'analytics services'.
What we found: The Tapo app (v3.17.109) includes Google Firebase Analytics and Google CrashLytics trackers, and requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION permissions — advertising tracking permissions that go beyond the stated analytics purpose. The app also requests READ_PHONE_STATE which provides access to phone number, IMEI, carrier info. The policy does not specifically disclose advertising ID collection or ad attribution tracking.
What they claim: The Tapo app requests RECORD_AUDIO, CAMERA, and FOREGROUND_SERVICE_MICROPHONE permissions, ostensibly for two-way audio communication with the camera and QR code scanning for setup.
What we found: The camera runs OpenWRT-based Linux (kernel 3.10.27) with a built-in microphone and speaker always powered. CVE-2021-4045 allowed unauthenticated root-level RCE, meaning an attacker could silently activate the microphone and record audio from inside the home. The app's FOREGROUND_SERVICE_MICROPHONE and RECEIVE_BOOT_COMPLETED permissions together enable persistent background audio access. The device has no hardware indicator when the microphone is active.
What they claim: The Tapo C200 firmware communicates with five hardcoded cloud endpoints (euw1-api.tplinkcloud.com, use1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com) spanning EU, US, and Asia-Pacific regions.
What we found: FCC filing TE7C200 identifies the applicant as TP-Link Technologies Co., Ltd., Shenzhen, China. The privacy policy discloses data sharing with unnamed 'authorized partners' and 'service providers' but does not specify which regional cloud endpoints process data or whether video from a US customer might transit through servers in other jurisdictions. The camera phones home to servers in three continental regions regardless of user location.
What they claim: TP-Link markets 'physical privacy mode' where 'the camera's lens will be blocked by the shell from recording' and presents local SD card storage as a privacy-preserving alternative to cloud storage.
What we found: CVE-2025-14300 (CVSS 8.7) reveals the connectAp endpoint remains accessible without authentication after setup. An attacker can disconnect the camera from its home Wi-Fi and force it to connect to an attacker-controlled network, enabling persistent access to the video stream. CVE-2021-4045 (CVSS 9.8) allowed unauthenticated remote code execution as root, giving full control over the camera including the ability to bypass privacy mode or access local storage.
What they claim: TP-Link's marketing claims the camera uses 'regular security audits to track and monitor data access events' and holds ISO 27001/27701 certifications, implying robust security governance.
What we found: CVE-2021-4045 (CVSS 9.8 Critical) — a trivially exploitable unauthenticated RCE via command injection in setLanguage() — existed in production firmware from at least 2019 until patched in December 2021. The vulnerability was in a basic web server function that passed user input directly to popen() without any sanitization. In 2025, three more critical vulnerabilities were found (CVE-2025-8065, CVE-2025-14299, CVE-2025-14300), including a hardcoded SSL private key shared across all devices. This pattern of elementary security failures over 6+ years contradicts claims of regular security audits.
What they claim: TP-Link released a security advisory for CVE-2025-8065, CVE-2025-14299, and CVE-2025-14300 affecting Tapo C200 V3 firmware below 1.4.5 Build 251104, recommending users update via the Tapo Mobile Application.
What we found: The firmware runs on OpenWRT-based Linux with kernel 3.10.27 (released 2013) — a kernel version that has not received security patches in years. The XMC XM25QH64A NOR flash (64Mbit / 8MB) severely constrains firmware size, limiting the ability to add modern security features. TP-Link's entire firmware repository was found exposed in an open S3 bucket, enabling pre-deployment reverse engineering. The fix-via-app-update model means devices not actively managed remain permanently vulnerable.
What they claim: The Tapo app (com.tplink.iot) serves as the single control interface for all Tapo devices including cameras, smart plugs, light bulbs, and sensors — a shared app architecture across the entire product ecosystem.
What we found: FCC filings show the Tapo C200 (TE7C200) is manufactured by TP-Link Technologies Co., Ltd., Shenzhen, China, while a V2 revision (2AXJ4C200V2) was filed by TP-Link Corporation Limited (a separate legal entity). The shared Tapo app and shared KLAP protocol (CVE-2023-38906/07/08) mean a vulnerability in any Tapo device potentially compromises the entire ecosystem — an attacker who compromises one smart plug could potentially pivot to cameras recording inside the home.
What they claim: TP-Link's Tapo privacy marketing claims 'Two-Step Verification' protects user accounts and presents privacy zones and physical privacy mode as effective user controls.
What we found: The Tapo app requests SYSTEM_ALERT_WINDOW (draw over other apps), BLUETOOTH_PRIVILEGED (privileged Bluetooth access), and MANAGE_OWN_CALLS (manage phone calls) — permissions that have no clear connection to camera control or two-step verification. SYSTEM_ALERT_WINDOW in particular is flagged by Android as a dangerous permission that can be used for phishing overlays. The app's 41 total permissions far exceed what a camera control app requires.
What they claim: TP-Link's CCPA disclosure states California residents can request data deletion, but specifies no data retention period or timeline for compliance.
What we found: The privacy policy separately discloses collection of 'images and videos collected or stored in connection with cloud services' and 'device log files and configurations, including Wi-Fi credentials.' Without a stated retention period, video footage from inside homes and Wi-Fi passwords could be retained indefinitely. TP-Link's Tapo Care cloud service stores 30 days of video history by default, but the policy does not clarify what happens to data after subscription cancellation or after the 30-day window.