TP-Link Community > Kasa Smart Switches > Security risks
< Kasa Smart Switches

Security risks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Security risks

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Security risks
Security risks
2020-06-02 16:16:00
Model: HS103  
Hardware Version:
Firmware Version:

I have some questions about security planned for these devices. I bought about 10 of them in my home, and from a outsider view - things worked good, product seems of good quality etc.

 

However, after doing some reading - I have some security concerns before I invest any more money into this product.  I'm honestly thinking of removing them all.

 

Devices are essentially "open" on the local network, due to trivial encryption for commands. If someone gains access to your WIFI network, the devices can be manipulated.

I have tried this myself and it's painfully obvious that you could reset devices, turn anything on/off without any authentication.

 

 

Are there any plans to implement device authentication that is based on my user account (a token or another mechanism) to further secure devices, once configured? Seems like JWT token or something would make sense here so you can't just connect and do what you want, unauthenticated.

 

Another option is to enable the firewall on the Linux OS on the device and allow only certain MAC adddresses (like my phone) to communicate to the device. Adding a further layer (can be thwarted with MAC spoofing).

 

The upside of this vulnerability is these switches are quite "hackable". I.e you can control them with scripts/batch files form any laptop, rPI etc. However, I'd rather have a published API and supported by TP-LINK that is secure, than a device that I can control but so can anyone else.

 

TP Link removed the "local only" option. Not that it really matters, but personally I think this is going the wrong way. We need more control over the security and configuration of these products, not less. We want secure home automation systems.

 

There is also no 2FA.

 

Bottom line: Relying on just the wifi password, which can be relatively easily socially engineered, cracked, given out by your kids etc is not good enough when we are controlling all sorts of electrical devices etc in our homes.

 

 

 

 

  0      
 
  0      
 
#1
Options
5 Reply
Re:Security risks
2020-06-02 20:51:28

I think, if someone breaks into your local network you'll have more serious issues than them controlling your lights...  a better way to protect them is to isolate them on a separate subnet and SSID.

With the number of IoT providers going belly up (best buy, osram, wink now charges for access, belkin keeps dropping support, locking down the local API would be a mistake.  At best it means you must give the manufacturer all of your login details go get access (that's what Tuya/SmartLife does, they can easily record your GPS location, SSID, password, and personal habits for later use or sale).  At worst your devices become useless or far too expensive to use.  "Local Only" access only meant *you* couldn't get access to your devices, TP Link still had complete access from their cloud.

Better is for the devices to keep an open API so you can *block* them from the internet, and use one of the local automation server solutions to manage them yourself and get decent integration.  I only buy devices that provide an accessible local API - I won't be delegating my home automation to some cloud service - it's my home and I want to keep it all there.

AutomationManager: Secure home automation without relying on cloud servers.
  1  
  1  
#2
Options
Re:Security risks
2020-06-02 21:49:20

@MikeP Thanks for your response. Some comments

 

> I think, if someone breaks into your local network you'll have more serious issues than them controlling your lights...

Perimiter security should not be the only line of defence. Google created a zero trust model to illustrate this.

 

> a better way to protect them is to isolate them on a separate subnet and SSID.

Agreed, this is a good practice but with the downside of more complex setup and will cause other issues, like the standard app would no longer directly be able to communicate with devices either, since you're by design not on the same SSID. It would have to do it via their cloud API or uou could implement third party control systems like openhab and carefully setup routing etc... Probably beyond most consumers.

>  locking down the local API would be a mistake

I'm 100% in favor of the local API, just not an unautenticated one.

> At best it means you must give the manufacturer all of your login details go get access
All TP-LINK smart plugs/switches call home periodically.
Each of your plugs have a GPS coordinate (captured during install from your phone).
It also needs to register so they associate the switch with your account.

You can be pretty sure they can see and control every aspect of these devices, unless you reconfigure their internal URL or block traffic.
 

> "Local Only" access only meant *you* couldn't get access to your devices, TP Link still had complete access from their cloud.

Yes correct. This had little to no security benefit. Perhaps only if someone momentarily got access to your phone outside the house they would not be able to switch things on/off. But losing your phone is again a bigger issue :)

 

> Better is for the devices to keep an open API so you can *block* them from the internet
> I only buy devices that provide an accessible local API

To me there is a difference here.

The TP-LINK API is not open (to my knowledge). 
I.e. there is no official SDK with published behaviour, support etc.

Integration with the likes of https://www.openhab.org/ is achieved through

a) reverse engineering

b) poor encyption/security practices

 

> I won't be delegating my home automation to some cloud service - it's my home and I want to keep it all there.

Yes, that would be great. 


Ideally they publish an open SDK that shows you how to obtain an OAUTH2 token to access a resource, or provide public/private key validation (like an SSH key) or something similar that can easily be configured on all the devices. That way - it's open, flexible and secure and you're not breaking any terms of service :)

 

 

 

 



 

 

 

 

  0  
  0  
#3
Options
Re:Security risks
2020-06-03 01:01:26
Sounds like you might prefer the SmartLife/Tuya app and the China sourced devices they support. I do support them in AutomationManager but to do so I'm forced to use the same library as their app. Basically their library makes an OAuth call back to their servers to obtain an account/device key to access the devices. I don't like them for exactly that reason - their servers must be up, I must have an account there to manage devices I own, and my devices are accessible from their cloud. So a dependency that their cloud service stays operational and secure, and now my personal data is kept on servers owned by a foreign national. I support them grudgingly (there's a lot of demand because they tend to be cheap), but for my own use I re-flash them right away with my own firmware (which has built in local password protection against firmware changes). True it's harder to setup AutomationManager to have local only home automation. And I only support cross manufacturer integration for those manufactures that have a local API. And it's best to use a firewall to block the devices reaching out themselves. But that's the choice - easy or truly safe AND reliable... If TPLink forced in an OAuth dependency on their cloud into their local API I'd stop supporting them.
AutomationManager: Secure home automation without relying on cloud servers.
  0  
  0  
#4
Options
Re:Security risks
2020-06-03 01:06:19
"All TP-LINK smart plugs/switches call home periodically. Each of your plugs have a GPS coordinate (captured during install from your phone). It also needs to register so they associate the switch with your account. You can be pretty sure they can see and control every aspect of these devices, unless you reconfigure their internal URL or block traffic." Very true, most do. For TP Link (and wemo), once they're connected to your wifi you can block them from reaching the internet at all. Use an alternate app like AutomationManager to control them and your location is no longer known to them. Some TP Link devices even let you change the wifi settings locally so you can move them from a guest to private wifi connection without exposing your password - that's a great feature.
AutomationManager: Secure home automation without relying on cloud servers.
  0  
  0  
#5
Options
Re:Security risks
2020-06-08 17:16:32

@Dodgyrabbit @Kevin_Z Is this something that you can weigh in on? Are there plans to provide a password based auth to the devices on local network least? Any insights appreciated.

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 4030

Replies: 5

About Us
Press
Copyright © TP-Link Corporation Limited. All rights reserved.