TP-Link says your camera footage is encrypted and secure, but security researchers found that the encryption keys are identical on every camera of the same model. Anyone on your WiFi network could potentially decrypt your video streams. This is like a lock manufacturer using the same key for every lock they sell. TP-Link says they take security seriously, but their cameras have been found with the same encryption keys in every unit, can be crashed by anyone on your network without a password, and leak your account password to nearby attackers. When a researcher reported these issues, it took TP-Link five months to respond. For a device watching your home 24/7, this is deeply concerning.
What they claim: TP-Link Tapo cameras promoted as secure home monitoring with encrypted video
What we found: In 2025, researcher Simone Margaritelli disclosed "TAPOcalypse" — 16 vulnerabilities across TP-Link Tapo cameras including unauthenticated Wi-Fi hijacking (CVE-2025-14300), buffer overflows, and hardcoded SSL private keys shared across ALL Tapo C200 cameras. An attacker within Wi-Fi range can force any Tapo camera to join a rogue network and intercept video streams. Over 25,000 devices were found exposed online. TP-Link took 150 days to issue an advisory.
What they claim: The camera is marketed for outdoor use (IP66 weatherproof) and captures 360-degree panoramic 2K QHD video with AI person/vehicle detection and 98ft night vision range.
What we found: An outdoor camera with 360-degree pan, 130-degree tilt, 2K resolution, AI-powered person detection, and 98-foot night vision range inevitably captures public spaces — streets, sidewalks, neighbours' properties. The privacy policy makes no mention of third-party privacy obligations, data handling for incidentally captured people, or compliance with surveillance camera regulations. FCC filing covers only RF emissions, not privacy. No GDPR Art. 6 legitimate interest assessment disclosed for capturing non-consenting individuals. Line-crossing detection and tamper detection features imply persistent monitoring of public areas.
What they claim: The C520WS product page emphasizes "Physical Privacy Mode" where the lens is physically blocked by the housing, giving users confidence in privacy control.
What we found: Physical Privacy Mode blocks the lens but the Tapo app retains RECORD_AUDIO, ACCESS_BACKGROUND_LOCATION, and FOREGROUND_SERVICE_MICROPHONE permissions. The app can still access the phone's microphone and location even when the camera lens is physically blocked. The camera's built-in microphone hardware state during Privacy Mode is not documented — the privacy policy does not clarify whether audio recording ceases when Privacy Mode is activated or only video.
What they claim: TP-Link's Tapo privacy marketing page states the company prioritizes user privacy and collects only necessary data. The product page emphasizes "Physical Privacy Mode" and local processing.
What we found: The Tapo app (v3.17.109) requests 41 Android permissions including ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION (advertising tracking), ACCESS_BACKGROUND_LOCATION (continuous location tracking even when app is closed), READ_PHONE_STATE (device identifiers), CAMERA, RECORD_AUDIO, and MANAGE_OWN_CALLS. The app includes Google Firebase Analytics and Google CrashLytics trackers. Ad service permissions have no connection to camera functionality.
What they claim: FCC ID 2AXJ4C520WS is filed by TP-Link Corporation Limited (Hong Kong), and the product is marketed as a global brand with data stored in the US.
What we found: TP-Link is headquartered in Shenzhen, China (founded there in 1996). The FCC grantee code 2AXJ4 is registered to TP-Link Corporation Limited in Hong Kong — a corporate restructuring from the older TE7 code (TP-Link Technologies Co., Ltd., Shenzhen). The camera connects to endpoints across regions: euw1-api (EU West), use1-api (US East), aps1-api (Asia Pacific South). While the privacy policy says data is "transferred to and stored in the US," the multi-region endpoint architecture suggests data routing to servers in multiple jurisdictions including Asia Pacific. Chinese national security laws (2017 National Intelligence Law) require Chinese companies to cooperate with state intelligence work.
What they claim: TP-Link's product page promotes "On-Device Machine Learning" for AI person/vehicle/pet detection, implying video data stays on the device for processing.
What we found: While AI detection runs on-device via the NT98562 SoC, the camera connects to multiple cloud endpoints (euw1-api.tplinkcloud.com, use1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com, n-devs.tplinkcloud.com). The privacy policy states "images and videos collected via cloud services" and "audio and visual data is stored when subscribed to Tapo Care." The Tapo Care cloud subscription is heavily promoted with a 30-day free trial. Event clips from AI detection triggers are uploaded to cloud when Tapo Care is active, meaning AI detection results — not just raw video — flow to TP-Link's servers.
What they claim: TP-Link's privacy policy mentions IMEI collection only through an opt-in "User Experience Improvement Program," suggesting data collection is limited and consent-based.
What we found: The Tapo app requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION permissions by default — these are advertising tracking permissions that function regardless of the User Experience Improvement Program opt-in. Google Firebase Analytics tracker is embedded in the app, collecting usage analytics automatically. The combination of ad ID tracking, Firebase Analytics, and background location creates a comprehensive user profile without requiring opt-in to any improvement program.
What they claim: TP-Link markets the Tapo C520WS with "128-bit AES Encryption with SSL/TLS" and promotes its "Privacy Security" page emphasizing data protection and secure connections.
What we found: Security researcher evilsocket discovered that TP-Link Tapo cameras use hardcoded SSL private keys shared across ALL devices of the same model (CVE-2025-8065 research). The same private key is embedded in firmware, meaning any attacker on the local network can decrypt HTTPS traffic. The KLAP protocol shared across the Tapo platform has known vulnerabilities. Additionally, CVE-2025-0919 shows the HTTP parser can be crashed with oversized URLs without authentication, and CVE-2025-1315 allows unauthenticated firmware update endpoint exploitation.
What they claim: TP-Link's security commitment page and Tapo privacy marketing emphasize their dedication to security updates and responsible vulnerability management.
What we found: CVE-2025-0919 and CVE-2025-1315 show unauthenticated attackers can crash the camera or force reboots — basic denial of service without needing any credentials. CVE-2025-14553 leaks password hashes to anyone on the local network. The evilsocket research on Tapo C200 (shared platform) revealed a 150-day disclosure timeline before TP-Link acknowledged vulnerabilities, hardcoded cryptographic keys, and buffer overflows in basic XML parsing — fundamental security failures. CVE-2023-35717 shows authentication bypass via weak password recovery. These are not edge cases — they represent systemic security failures across the Tapo platform.
What they claim: TP-Link's privacy policy states data is retained only "as long as account is used" and offers CCPA deletion rights. The Tapo privacy page promotes transparency about data handling.
What we found: The CCPA section of TP-Link's privacy policy allows deletion requests but provides no compliance timeline. The policy discloses sharing with "advertising" providers and "marketing providers (anonymized)" and "service providers (software maintenance, advertising, email, analytics)" — extensive data sharing for a security camera. Wi-Fi credentials are collected as part of "device log files and configurations." No explicit data retention period is stated despite CCPA requirements. For an outdoor camera that captures public spaces including neighbours and pedestrians, there is no disclosure about third-party privacy obligations.
What they claim: The Tapo app requests MANAGE_OWN_CALLS, READ_PHONE_STATE, and ACCESS_BACKGROUND_LOCATION — permissions that go well beyond camera operation.
What we found: The C520WS hardware (Novatek NT98562 SoC, RTL8192EU WiFi, no cellular modem, no GPS) has no capability to make phone calls, access cellular networks, or determine geographic location independently. The camera is a fixed outdoor WiFi device. MANAGE_OWN_CALLS and READ_PHONE_STATE serve no camera function. ACCESS_BACKGROUND_LOCATION on a phone controlling a fixed outdoor camera is not needed for device operation — the camera knows where it is because it doesn't move.