TP-Link says your camera videos are protected by strong encryption, but researchers found that every single Tapo C200 camera in the world shares the same secret key. This is like a lock manufacturer giving every customer the same key — anyone who knows the key can watch your camera feed.
critical
TP-Link offers a 'privacy mode' that physically covers the lens, but critical security flaws let attackers take complete control of your camera remotely. A hacker could turn the camera on without you knowing, redirect its video feed to their own server, or access recordings you thought were safely stored on your SD card.
critical
TP-Link brags about security certifications and regular audits, but for over two years their camera had a flaw so basic that any attacker could take full control of it remotely. Then in 2025, researchers found the same camera shares one secret key across every unit ever made — something any real security audit would catch immediately. The certifications appear to be meaningless.
TP-Link says your camera footage is encrypted and secure, but security researchers found that the encryption keys are identical on every camera of the same model. Anyone on your WiFi network could potentially decrypt your video streams. This is like a lock manufacturer using the same key for every lock they sell.
critical
TP-Link says they take security seriously, but their cameras have been found with the same encryption keys in every unit, can be crashed by anyone on your network without a password, and leak your account password to nearby attackers. When a researcher reported these issues, it took TP-Link five months to respond. For a device watching your home 24/7, this is deeply concerning.
critical
Every Tapo C200 camera shares the same SSL private key. Every single one. An attacker on your Wi-Fi can hijack your camera and watch the feed. 16 vulnerabilities. 25,000 devices exposed online. TP-Link took 150 days to respond. The researcher called it "TAPOcalypse." The name fits — every Tapo camera in the world was compromised by the same hardcoded key.
TP-Link says your data goes to the US, Ireland, and Singapore — but never mentions China. Yet the company is headquartered in Hong Kong, the router hardware is designed and tested in Guangzhou, China, and the US government is considering banning TP-Link over national security concerns about Chinese government ties. The privacy policy is silent about where your data actually originates and who at the parent company can access it.
critical
TP-Link presents HomeShield as an optional security subscription you can choose to enable. But the HomeShield code actually runs on your router whether you activate it or not — and it has a critical security hole that lets hackers take over your router through that always-running code. A similar TP-Link router was caught sending over 80,000 requests per day to a security company's servers even when the user never turned that feature on.
critical
TP-Link tells you that your family's browsing history stays on your router and is never uploaded to the cloud. But their own HomeShield privacy policy says the opposite — when parental controls are active, your family's DNS queries, web addresses, and network data ARE uploaded to TP-Link's cloud. Your browsing data is also shared with Norton and F-Secure through software embedded in the router.
TP-Link claims your camera data is protected by strong encryption that is "highly resistant to eavesdropping," but security researchers found that the encryption system (KLAP protocol) used by the C210 has fundamental flaws. An attacker on your network could intercept the camera's communications and steal your Wi-Fi password — the opposite of what TP-Link claims.
critical
TP-Link suggests you can keep your camera footage private by storing it locally on an SD card instead of in the cloud. But the camera still connects to TP-Link's cloud servers regardless, and security researchers found that anyone on your home Wi-Fi network could bypass the camera's password protection and take full control of it — potentially watching your video feed.
high
TP-Link says they care about your privacy and security, but their app includes advertising tracking tools and requests permission to track your location even when you are not using it. The privacy page does not mention these advertising features.
TP-Link says your Deco router only tracks your browsing if you turn on Parental Controls. But users discovered the router secretly looks up popular websites like Netflix and Amazon on its own — even when nobody is using the internet. This means your router may be monitoring what sites your household visits without your knowledge or consent.
critical
TP-Link says they keep your data safe. But the U.S. government is investigating whether TP-Link routers are a national security threat. Three federal agencies are looking into the company, and they're considering banning TP-Link products entirely. Chinese law could force TP-Link to hand over your data or push malicious updates to your router. Thousands of TP-Link routers have already been hijacked by Chinese government hackers.
critical
TP-Link promises your router is secure. But security researchers have found the same type of critical flaw — letting hackers run commands on your router — in three different Deco models over three consecutive years. Each time TP-Link fixes one model, the same bug appears in another. Your router sees everything on your network, and these bugs let attackers take full control of it.
TP-Link says they collect data when you use their services. But the router secretly sends your network information to a third-party company (Avira) every single minute, even when you have turned off the security feature that supposedly needs that data. You cannot stop it without breaking your router.
critical
TP-Link sells a "security" feature called HomeCare that scans ALL internet traffic from every device in your home. But multiple US government agencies are investigating whether TP-Link could be forced by Chinese law to hand over exactly this kind of data to the Chinese government. Your router's "security" feature is also a surveillance capability — and the US government considers this a national security threat.
critical
Your TP-Link router automatically downloads and installs software updates from TP-Link's servers. Security researchers found that TP-Link's firmware update process has weak verification — it can be tricked into installing fake updates. The US government is investigating whether China could order TP-Link to push a malicious update to millions of routers. This means a single bad update could compromise every device in your home.
Your router secretly sends your browsing data (every website you visit) to a company called NortonLifeLock for "security scanning." This is buried in a separate privacy policy that most users never see.
critical
Hackers backed by the Chinese government have turned thousands of TP-Link routers into a spy network. The U.S. government is so concerned it may ban the company entirely. Meanwhile, multiple security holes remain in the same router firmware.
critical
The "security" feature TP-Link sells to protect your network actually contains a backdoor that hackers can use to take complete control of your router. The irony: the security feature is itself the security risk.
TP-Link promotes AES-128 encryption as bank-grade security on their marketing page. Independent researchers found that this exact encryption implementation is the weakness that lets attackers intercept your data. They are advertising the vulnerability as a feature.
critical
TP-Link claims your data is protected by TLS 1.2 encryption during transmission. Researchers found the smart plug communicates with your phone without any HTTPS encryption at all. Anyone on your Wi-Fi network could intercept commands and data between your phone and plug.
high
The Tapo app asks for permission to use your phone camera, microphone, and continuous location tracking — to control a plug that turns on and off. The plug has no sensors at all. These permissions let the app collect data from your phone that has nothing to do with the smart plug.
TP-Link says they use encryption to protect your data, but security researchers found their smart plug communicated using a cipher so weak it could be reversed by anyone on your Wi-Fi network. Instead of fixing the encryption, TP-Link removed local control entirely, forcing all communication through their cloud servers instead.
critical
TP-Link claims to use TLS encryption (the same technology that protects your online banking), but security researchers found the device doesn't actually check if it's talking to the real TP-Link server. This means anyone on your network could pretend to be TP-Link's server, intercept all your data, and even take control of your plug — completely defeating the encryption TP-Link promised.
high
The smart plug tracks exactly how much electricity each of your connected devices uses and when. While marketed as a tool for you to save money, the privacy policy reveals this detailed power usage data — which can reveal your daily routines, what appliances you own, and when you're home — can be shared with a third-party energy company called OhmConnect, along with your account login information.
TP-Link says they take security seriously and have international security certifications, but academic researchers found their smart bulb uses weak encryption that can be broken, hard-coded passwords that never change, and messages that can be replayed by attackers. Four separate security flaws were found in a device that just turns lights on and off.
critical
When you set up this smart bulb, it creates a temporary Wi-Fi network. Researchers proved that a nearby attacker can pretend to be your bulb during setup and steal your home Wi-Fi password, your Wi-Fi network name, and your TP-Link account login credentials — all because you wanted to connect a light bulb.
high
To control a light bulb that just turns on and off, TP-Link's app demands access to your camera, microphone, precise GPS location (even in the background), and phone information. A light bulb does not need to know where you are, what you look like, or what you sound like.
The Tapo C200 — one of the best-selling budget security cameras on Amazon — had a CVSS 9.8 vulnerability. That's as bad as it gets. Anyone on your WiFi could take complete control of the camera without a password. Watch live. Record audio. Pivot into your network. A separate bug leaked your WiFi password in plaintext during setup. The camera you bought to protect your home was the biggest hole in its security.
high
Italian and British university researchers found four vulnerabilities in a TP-Link smart bulb. The worst one: during setup, a hacker within WiFi range could impersonate the bulb and steal your home WiFi password in plaintext. The "encryption" protecting the handshake used a hardcoded secret so short it could be cracked instantly. A $10 light bulb could hand your entire home network to anyone within radio range.
high
TP-Link controls 65% of home routers sold in America. It is headquartered in Shenzhen, China, where Article 7 of the National Intelligence Law requires every company to hand over data when the government asks. US lawmakers asked the Commerce Department to investigate. By late 2024, a formal probe was underway. Two-thirds of American homes route all their internet traffic through hardware built by a company legally obligated to cooperate with Chinese intelligence.
TP-Link makes 65% of the routers Americans buy. The US government is investigating whether to ban them. Commerce, Defense, and Justice departments — all three probing one router company. TP-Link is headquartered in Shenzhen, China, subject to China's National Intelligence Law. Your router sees every device on your network, every website you visit, every connection you make. Two-thirds of American homes chose to put a Chinese government-obligated device between their entire digital life and the internet. The device that sees everything in your home is made by a company legally required to show everything to Beijing.
critical
The FCC banned TP-Link routers. March 23, 2026. Not just TP-Link — all foreign-made routers, but TP-Link holds 65% of the American market, so the impact is theirs. The reason: Volt Typhoon, Flax Typhoon, Salt Typhoon — Chinese state-sponsored cyberattack campaigns that used home routers to infiltrate American communications and critical infrastructure. Microsoft found thousands of compromised TP-Link routers in the attack chain. Texas sued TP-Link for allowing Beijing access to American devices. The router sitting in two-thirds of American homes was a weapon in a cyberwar most Americans didn't know was happening.
high
TP-Link routers have been recruited into botnets. The Mirai botnet exploited a command injection vulnerability in the Archer AX21 — one of the best-selling routers in America — to turn home routers into weapons for DDoS attacks. CISA flagged it as actively exploited. Researchers found hardcoded credentials, default admin passwords, and firmware updates that don't verify who sent them. Some models phone home to Chinese servers even after factory reset. Your router — the device that controls your entire home network — with hardcoded passwords and unverified firmware updates.