Local Access update from TP-Link required

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Local Access update from TP-Link required

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Local Access update from TP-Link required
Local Access update from TP-Link required
2021-02-28 20:26:07 - last edited 2021-03-01 01:29:02

Can someone from TP-Link please provide a clear update on local (non-cloud) access support? @Brook @TP-Link 

 

The previous announcement mentions

 

In the latest Kasa firmware release, we upgraded the local communication authentication method for the two smart sockets HS100(UK)4.1 and HS110(UK)4.1 ONLY (Other models and hardware versions would not be affected) to prevent local communication security risks. As a result, some third-party smart home software and platforms (such as Home Assistant) that use local APIs can no longer communicate with our devices.

 

...

 

Note: After upgrading to the Beta firmware, the devices won't receive new firmware updates in the future as all the new firmware will use the more secure local communication authentication method.

 

And We're also planning to push a more secure cloud API in the future before upgrading a more secure local communication authentication method on all Kasa devices. At that time, other third-party platforms/applications can register a developer account on our official website and integrate with us through our more secure APIs.

 

1. So what is the plan here? To remove direct local communication due to security concerns or give people with advanced use cases more secure local communication without the need for any cloud?

 

2. The announcement calls out HS100/110 UK models - what about other devices and other regions? Seems like they are affected. I'm assuming this change is in all new firmware for all devices by now?

 

3. I'd like to propose a solution that will meet TP-Link's security requirements and support the community with advanced use cases: In the Kasa app, under device settings, make a toggle to allow advanced local access with disclaimers and once a user accepts / turns on local access, flip a bit in the device that future firmwares respect when applying updates. This way, it's off/secure by default unless a user explicitly turns it on for their devices. The user could also turn off local access in the future to lock down the device.

 

Thank you

  0      
  0      
#1
Options
1 Reply
Re:Local Access update from TP-Link required
2021-05-12 14:08:40

@FSF I have the HS200(US) ver 5.8 model that I purchased a few days ago and it aparently has the new lockout firmware.  There have been rumors of a beta firmare that can be flashed to the devices to make them work properly, but I have not found it. 

 

Tplink ignores the obvious as far as security.  All they need to do is print a crypto key, like DES, onto the front of the switch under the cover or on the box.  When installing software, that key is entered, or photographed if its a bar code.  That makes the device virtually unhackable because no communication is possible without knowing the key.  The owner of the device has easy access to that key, so its a win win.

 

Since tplink is not willing to get their head out of the cloud, I will be using esphome certified devices from now on.

  1  
  1  
#2
Options