TP-Link claims your camera data is protected by strong encryption that is "highly resistant to eavesdropping," but security researchers found that the encryption system (KLAP protocol) used by the C210 has fundamental flaws. An attacker on your network could intercept the camera's communications and steal your Wi-Fi password — the opposite of what TP-Link claims. TP-Link suggests you can keep your camera footage private by storing it locally on an SD card instead of in the cloud. But the camera still connects to TP-Link's cloud servers regardless, and security researchers found that anyone on your home Wi-Fi network could bypass the camera's password protection and take full control of it — potentially watching your video feed.
What they claim: TP-Link marketing claims "AES 128-bit encryption" for data storage and "TLS 1.2 encryption protocol" for transmission, describing these as providing "exceptional protection" that is "highly resistant to eavesdropping."
What we found: CVE-2023-38906 (KLAP protocol vulnerability) allows unauthenticated session key derivation, enabling command injection and Wi-Fi credential theft on the C210. CVE-2023-38907 found the encryption uses weak CBC-AES128 implementation. The KLAP protocol shared across all Tapo devices was found to have fundamental cryptographic flaws by University of Catania/London researchers (SECRYPT 2024). The camera communicates with 5 hardcoded cloud endpoints (euw1-api.tplinkcloud.com, use1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com).
What they claim: TP-Link marketing page states "We Care About Your Privacy and Security" and highlights ISO 27001/27701 certifications, AES 128-bit encryption, and TLS 1.2 for data protection.
What we found: The Tapo app (v3.17.109) requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and AD_ID permissions — all related to advertising tracking. It also includes Google Firebase Analytics tracker. These advertising-related permissions are not disclosed in the privacy marketing claims and contradict the privacy-first positioning. The app also requests ACCESS_BACKGROUND_LOCATION, allowing location tracking even when the app is not in use.
What they claim: The Tapo app requests RECORD_AUDIO and FOREGROUND_SERVICE_MICROPHONE permissions, ostensibly for two-way audio communication with the camera.
What we found: The C210 has a built-in microphone and speaker for two-way audio — this justifies RECORD_AUDIO. However, the app also requests FOREGROUND_SERVICE_MICROPHONE which enables persistent microphone access as a background service. Combined with RECEIVE_BOOT_COMPLETED (auto-start on phone boot) and FOREGROUND_SERVICE_DATA_SYNC (background data sync), the app has the technical capability to continuously access the phone's microphone and sync data to TP-Link's cloud, independent of the camera's two-way audio feature.
What they claim: TP-Link's marketing page highlights "Two-Step Verification mechanism" and "Physical privacy mode" as user privacy controls, positioning the product as giving users control over their security.
What we found: Despite these privacy controls for the camera itself, the Tapo app (which is required to use these features) contains Google Firebase Analytics tracker and requests ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, and AD_ID. This means that while users think they are managing their camera's privacy, the app managing those privacy controls is itself tracking user behavior for advertising purposes. The BIND_GET_INSTALL_REFERRER_SERVICE permission tracks which ad campaign led to the app install.
What they claim: The C210 product page promotes "Smart Detection" with AI-powered person, pet, and vehicle detection as a key feature, with the marketing suggesting intelligent on-device processing.
What we found: The MStar SSC335 chipset has integrated ISP and hardware-accelerated AI capabilities that could support on-device detection. However, TP-Link's Tapo Care subscription service locks advanced AI detection behind a paid cloud plan, suggesting that at least some AI processing occurs in the cloud rather than on-device. The privacy policy states "images and videos collected via cloud services" are stored but does not clarify whether AI detection thumbnails, metadata, or full frames are transmitted to cloud servers for processing, even for users not subscribed to Tapo Care.
What they claim: TP-Link markets the C210 with "Physical privacy mode" and local microSD storage (up to 512GB) as privacy-preserving alternatives to cloud recording. The product page emphasizes local storage and user control.
What we found: The firmware connects to 5 hardcoded cloud endpoints regardless of storage choice. CVE-2023-35717 (CVSS 8.8) allows network-adjacent attackers to bypass authentication entirely via the password recovery mechanism. Combined with CVE-2023-41184 (CVSS 8.0 stack buffer overflow), attackers can achieve remote code execution on the camera. Even with "local only" storage, the camera maintains cloud connections and is vulnerable to complete takeover by anyone on the same network.
What they claim: The Tapo privacy policy states data collection is for "safety, security, and service personalization" and mentions only necessary data like device info and account credentials.
What we found: The app requests 41 permissions including READ_PHONE_STATE (reads device IMEI, phone number, carrier info), CAMERA (accesses phone camera beyond the device camera feed), ACCESS_BACKGROUND_LOCATION (continuous location tracking), BLUETOOTH_PRIVILEGED (elevated Bluetooth access beyond what device setup requires), SYSTEM_ALERT_WINDOW (can draw over other apps), and MANAGE_OWN_CALLS (phone call management). Many of these permissions are not required for operating a security camera and are not adequately explained in the privacy policy.
What they claim: FCC filing 2AXJ4C210 certifies the C210 for standard Wi-Fi operation. TP-Link's security advisory page states they will "do our utmost to provide users with secure stable products" and "strictly protect the privacy and security of their data."
What we found: CVE-2025-14553 (disclosed January 2025) reveals the Tapo app leaks password hashes via an unauthenticated API response on the local network — a fundamental security flaw in the companion app used to control the C210. This vulnerability allows attackers to recover user credentials through brute-force. Combined with the C210-specific CVE-2023-35717 (auth bypass, CVSS 8.8) and CVE-2023-41184 (RCE, CVSS 8.0), the device has a chain of vulnerabilities from app to firmware. TP-Link's security advisory page acknowledges these issues but places remediation burden on users.
What they claim: FCC filing shows the C210 is manufactured by TP-Link Corporation Limited (Hong Kong) under grantee code 2AXJ4, a different legal entity from the older TE7 grantee (TP-Link Technologies, Shenzhen, China).
What we found: The corporate restructuring from TP-Link Technologies (Shenzhen) to TP-Link Corporation Limited (Hong Kong) changes the legal jurisdiction governing data handling. The firmware connects to regional cloud endpoints (euw1-api, use1-api, aps1-api.tplinkcloud.com) but the privacy policy states all data is "transferred to and stored in the US." The KLAP protocol vulnerabilities (CVE-2023-38906/07/08) affect all Tapo devices across both corporate entities, suggesting shared infrastructure regardless of which legal entity manufactured the device.
What they claim: TP-Link's privacy policy states personal data is retained "as long as your account is used" and allows California residents to "request data deletion" under CCPA.
What we found: The privacy policy provides no specific data retention timeline. The CCPA section mentions deletion rights but specifies no compliance deadline. For a camera that records video and audio inside homes, the absence of a defined retention period means TP-Link could retain video footage, audio recordings, and location data indefinitely. The policy also states data is "transferred to and stored in the US" without specifying which data center or providing data residency guarantees.