← Smart Home
C

Tapo P100

Notable issues
TP-Link · 🇨🇳 China · Cellular
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
FCC ID: TE7P100
Chipset: Realtek RTL8720CF
App: com.tplink.iot
Manufacturer: TP-Link

⚠️ The bottom line

TP-Link promotes AES-128 encryption as bank-grade security on their marketing page. Independent researchers found that this exact encryption implementation is the weakness that lets attackers intercept your data. They are advertising the vulnerability as a feature. TP-Link claims your data is protected by TLS 1.2 encryption during transmission. Researchers found the smart plug communicates with your phone without any HTTPS encryption at all. Anyone on your Wi-Fi network could intercept commands and data between your phone and plug.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
Spying
4/4 EXTREME
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
10Contradictions
2Critical
4High
4Medium
5Sources
Findings by concern
Spying 4/4 EXTREME 4 findings
⚠️ criticalmarketing claims vs regulatory findings
TP-Link promotes AES-128 encryption as bank-grade security on their marketing page. Independent researchers found that this exact encryption implementation is the weakness that lets attackers intercept your data. They are advertising the vulnerability as a feature.

What they claim: AES 128-bit encryption is a highly secure cryptographic method... making it practically impossible to crack without the correct key

What we found: CVE-2023-38907: Weak CBC-AES128 encryption in Tapo device communication allows traffic interception. University of Catania/London research confirmed this is the vulnerability, not a security feature.

⚠️ criticalmarketing claims vs regulatory findings
TP-Link claims your data is protected by TLS 1.2 encryption during transmission. Researchers found the smart plug communicates with your phone without any HTTPS encryption at all. Anyone on your Wi-Fi network could intercept commands and data between your phone and plug.

What they claim: Tapo implements TLS 1.2 encryption protocol when it comes to storing and transmitting sensitive information

What we found: University of Catania/London research (SECRYPT 2024) found Tapo devices lack HTTPS for device-to-app communication entirely. No TLS observed in device-to-app traffic.

⚡ highapp permissions vs firmware analysis
The Tapo app asks for permission to use your phone camera, microphone, and continuous location tracking — to control a plug that turns on and off. The plug has no sensors at all. These permissions let the app collect data from your phone that has nothing to do with the smart plug.

What they claim: Tapo app (com.tplink.iot) requests CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, ACCESS_BACKGROUND_LOCATION, READ_PHONE_STATE, MANAGE_OWN_CALLS, MODIFY_AUDIO_SETTINGS — 41 permissions total

What we found: The Tapo P100 is a relay switch with a Realtek RTL8720CF SoC providing only Wi-Fi and BLE. No camera, microphone, GPS, or any sensors. FCC filing TE7P100 confirms the device has only Wi-Fi and BLE radios.

⚡ highapp permissions vs policy claims
The Tapo app can keep your phone microphone active in the background through a persistent service — for a smart plug with no speaker or microphone. The privacy policy never mentions collecting audio from smart plug users. There is no legitimate reason for a plug controller to need persistent microphone access.

What they claim: App requests FOREGROUND_SERVICE_MICROPHONE — persistent microphone access via a foreground service

What we found: Privacy policy does not mention microphone data collection for smart plug users. Device is a socket with no microphone. FOREGROUND_SERVICE allows the app to maintain microphone access while running in the background.

Data Sharing 2/4 MODERATE 1 finding
⚡ highpolicy claims vs app permissions
The privacy policy vaguely mentions sharing data with business partners but does not name them. Meanwhile, the app has dedicated advertising tracking permissions that identify you across ad networks. You are being tracked for advertising purposes through your smart plug app, and the policy does not clearly tell you who is receiving that data.

What they claim: Policy mentions sharing data with unnamed business partners

What we found: App includes ACCESS_ADSERVICES_AD_ID, ACCESS_ADSERVICES_ATTRIBUTION, AD_ID, and BIND_GET_INSTALL_REFERRER_SERVICE — dedicated advertising attribution and ad tracking permissions. These identify specific ad-tech data flows the policy does not name.

Security 4/4 EXTREME 3 findings
⚡ highpolicy claims vs firmware analysis
Your smart plug stores your Wi-Fi password — it needs it to connect to your network. Security researchers proved that attackers can extract that password from the plug due to a protocol flaw. TP-Link's privacy policy says nothing about this risk. If someone exploits this, they get access to your entire home network.

What they claim: Privacy policy is silent on the risk of Wi-Fi credential exposure

What we found: CVE-2023-38906: TP-Link Tapo devices allow unauthenticated session key derivation via the KLAP protocol, enabling command injection and Wi-Fi credential theft. FCC confirms BLE onboarding transfers Wi-Fi credentials to device.

⚫ mediummarketing claims vs regulatory findings
TP-Link markets a comprehensive security system for Tapo devices. The academic record shows three known security vulnerabilities, two rated high severity, with only a partial fix released over a year later. Comprehensive defense does not match the evidence.

What they claim: Tapo utilizes a comprehensive data defense system to defend against data attacks and threats

What we found: 3 CVEs assigned (CVE-2023-38906, 38907, 38908 — two HIGH, one MEDIUM). TP-Link released only a partial fix in December 2023. Vulnerabilities include command injection, weak encryption, and insufficient authentication.

⚫ mediummarketing claims vs firmware analysis
TP-Link displays ISO security certifications prominently on their Tapo page, implying the products are secure. ISO certification means they have a security paperwork process — it does not mean the plug itself is secure. The actual product has known, exploitable vulnerabilities that the certifications did not prevent.

What they claim: Prominent display of ISO 27001:2022 and ISO 27701:2019 certifications implying product security

What we found: Three unpatched CVEs, weak CBC-AES128 encryption, no HTTPS for device communication, Wi-Fi credential exposure via KLAP protocol. ISO certification covers management processes, not product security.

Honesty 3/4 HIGH 2 findings
⚫ mediumfirmware analysis vs policy claims
Your smart plug only works if TP-Link's servers are online. Even if your phone and plug are on the same Wi-Fi, commands travel to TP-Link's cloud and back. If their servers go down or they discontinue the service, your plug becomes useless. This permanent cloud dependency is never disclosed.

What they claim: All device commands route through TP-Link cloud servers (euw1-api.tplinkcloud.com, use1-api.tplinkcloud.com, aps1-api.tplinkcloud.com, devs.tplinkcloud.com). Device stops working without internet.

What we found: Neither privacy policy nor marketing materials disclose that the P100 requires permanent internet connectivity for basic operation, or that all commands route through TP-Link servers in multiple regions even for local control.

⚫ mediumapp permissions vs policy claims
The Tapo app starts automatically every time you turn on your phone and runs continuously in the background, even preventing your phone from putting it to sleep. For a smart plug you might use twice a day, the app is always running and always active. This is never mentioned in the privacy policy.

What they claim: App requests RECEIVE_BOOT_COMPLETED, FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC, WAKE_LOCK — auto-start and persistent background operation

What we found: Privacy policy does not disclose that the Tapo app automatically starts when your phone boots and runs continuously as a foreground service with wake lock to prevent the phone from sleeping it.

What happened to real people
Documented incidents involving TP-Link products and user data.
TP-Link routers used as infrastructure in Volt Typhoon — Chinese state-sponsored attacks targeting US critical infrastructure including water, energy, and communications. CISA advisory. [source]
What your data is worth to governments
Jurisdiction: CN (China National Intelligence Law (Article 7: all organisations must support national intelligence work)).
Documented: TP-Link routers used as infrastructure in Volt Typhoon — Chinese state-sponsored attacks targeting US critical infrastructure including water, energy, and communications. CISA advisory.
China National Intelligence Law
Sources