The Tapo C200 — one of the best-selling budget security cameras on Amazon — had a CVSS 9.8 vulnerability. That's as bad as it gets. Anyone on your WiFi could take complete control of the camera without a password. Watch live. Record audio. Pivot into your network. A separate bug leaked your WiFi password in plaintext during setup. The camera you bought to protect your home was the biggest hole in its security. Italian and British university researchers found four vulnerabilities in a TP-Link smart bulb. The worst one: during setup, a hacker within WiFi range could impersonate the bulb and steal your home WiFi password in plaintext. The "encryption" protecting the handshake used a hardcoded secret so short it could be cracked instantly. A $10 light bulb could hand your entire home network to anyone within radio range.
What they claim: TP-Link Tapo cameras advertise "encrypted video streaming" and "secure remote access" with password-protected feeds available only to authenticated users.
What we found: Multiple critical CVEs affect Tapo cameras. CVE-2021-4045 (CVSS 9.8) revealed the Tapo C200 camera had a command injection vulnerability allowing unauthenticated remote code execution. An attacker on the same network could take full control of the camera without any credentials. Additional vulnerabilities (CVE-2023-27126) exposed WiFi credentials in plaintext during setup.
What they claim: TP-Link states it operates independently in each market and complies with local privacy laws, presenting itself as a standard consumer electronics brand no different from competitors.
What we found: In 2024, US lawmakers called for investigation of TP-Link over national security concerns due to its Chinese ownership and potential obligations under China's National Intelligence Law (Article 7), which requires organizations to "support, assist, and cooperate with national intelligence work." TP-Link holds approximately 65% of the US home router market. The Commerce Department opened an investigation in late 2024.
What they claim: TP-Link's Tapo app privacy policy claims to collect only data "necessary for the functioning of the device" and states data is processed in accordance with GDPR.
What we found: Analysis of the Tapo app revealed it collects precise location data, device identifiers, WiFi network information, usage patterns, and sends telemetry to servers in China. Mozilla's Privacy Not Included review flagged that TP-Link's privacy policy allows sharing data with "affiliates" and "business partners" without specifying who they are. The app requests permissions far beyond what's needed for device control.
What they claim: TP-Link markets Tapo products as secure smart home devices with "advanced encryption" and claims to follow security best practices for IoT devices.
What we found: Researchers from University of Catania and University of London discovered four critical vulnerabilities in the Tapo L530E smart bulb and its companion app (published August 2023). CVE-2023-38906 allowed attackers to impersonate the bulb during setup and steal the user's WiFi password. The key exchange used a hardcoded short shared secret, making the encryption trivially breakable.
What they claim: TP-Link advertises Tapo products as suitable for home security monitoring, baby monitoring, and elderly care — use cases requiring the highest security standards.
What we found: CISA (US Cybersecurity and Infrastructure Security Agency) has issued multiple advisories for TP-Link products. In 2023, CISA added CVE-2023-1389 (TP-Link Archer router) to its Known Exploited Vulnerabilities catalog, confirming active exploitation by the Mirai botnet. TP-Link's track record shows a pattern of critical vulnerabilities across their product line, with the Tapo ecosystem inheriting the same firmware development practices.
What they claim: TP-Link states it uses "advanced security protocols" and industry-standard encryption to protect user credentials and device communications.
What we found: CVE-2023-27126 revealed that Tapo devices transmit WiFi credentials in plaintext during the device setup process. Researchers demonstrated that an attacker within WiFi range during setup could capture the home network password. Combined with the short shared secret in the key exchange protocol, the entire security architecture of Tapo's onboarding process was fundamentally broken.