HS100/HS110(UK) V4 Firmware 1.1.0 with Home Assistant - NOT
HS100/HS110(UK) V4 Firmware 1.1.0 with Home Assistant - NOT
Quoting:
Currently it's the UK version, but all of your devices suffer from this "local communication security risks". Are you planning to update the firmware for all of them? And provide betas for all of them to be rolled back?
If some day you find a *real* security issue how will the beta firmware users be informed of the risk, and how will you update their beta firmware?
Will it be possible to install this beta on newly purchased devices?
How will new customers discover the alternate beta firmware and request it be installed? Are you abandoning 3rd party integration support for future customers?
A better solution would be to make this an option that could be enabled in the firmware with the same warnings you have here. Do you really believe that the biggest risk to customers with have poor network security and weak network passwords is that someone will gain control their light switches and plugs?
This doesn't seem to be a coherent plan making it impossible to recommend the purchase of TP Link / Kasa devices. Currently your competition, Belkin WeMo, still provides local LAN control without any unnecessary security restrictions.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
The correct answer is they don't care about their customers or this would have never happened to begin with. The only response is to never buy a TP-Link product again.
- Copy Link
- Report Inappropriate Content
Hi, thank you for your concern about this issue.
We pay high attention to every potential security vulnerability. Once there is a vulnerability fix, the devices with beta firmware will receive the updates as well and We respect your choice to upgrade the firmware or not.
Since it has been never advertised by TP-Link that Kasa devices should support any unauthorized third-party platforms/applications,
and only some famous third-party integration such as Amazon Alexa and Google Assistant have been guaranteed, we reserve the right to adjust the local APIs on the Kasa devices.
And We're also planning to push more secure integration in the future before upgrading a more secure local communication authentication method on all Kasa devices.
At that time, other third-party platforms/applications can integrate with us through our more secure APIs.
Really sorry for the inconvenience.
Thanks a lot for your understanding and support.
- Copy Link
- Report Inappropriate Content
Thank you for arranging this change and I am encouraged that you are looking to allow more third party integration when you have developed your more secure APIs in the future. However, I have to take exception to the implication that somehow our home networks are more insecure than your (and other) public sites!
Those of us using Home Assistant are possibly more aware of the security implications of having numerous vendor devices on our networks, hence we prefer to use devices that do not require access to the internet to work (thumbs up to you). This is not just so that our homes do not have a dependency on our broadband supplier keeping our connections working (assuming we are lucky enough to have reasonable broadband in the first place) but also so that we know what is running on our internal networks and possibly leaking information to third party sites.
Given that TP-Link are unlikely to offer a product for every market (eg. heating controllers) and currently there are no light switches [HS200, HS210, HS220] in the UK and with the growth of the IoT and IFTTT you should not be surprised that people will do their own bespoke integrations via tools such as Home Assistant (other platforms are available). This actually saves you a lot of effort and cost in trying to develop an overarching control system rather than just the excellent, albeit limited, Kasa app for basic controls that many will find sufficient.
And, out of interest, what do you see are the risks to your products or users of an 'unauthorised' access to a socket? I'm not aware of any personal or sensitive information being held on them, nor, other than some inconvenience to me, what is the effect of someone taking control of them. Cameras I can understand might be a security risk, which is why I wouldn't use Alexa/Google display anywhere near my KC110 whether these have been “guaranteed” or not. You may trust them but I have no way of doing that validation myself, and there have been too many well documented ‘data breaches’ from ‘trusted’ companies.
I will request my version 4.1 switches ‘downgraded’ for now and look forward to a meaningful dialogue in the future that allows the Home Assistant integrations elves to do their magic with your new APIs. Oh, and I have just bought another KL50, so I hope you are not changing their interface just yet. I am holding back on purchasing any more HS100/110s for now as I’m too lazy to go and try to find other products of a similar quality that work reliably with HA.
Keep up the good work with innovative products, but also think bigger about how they might be used in this new world of home automation. You can't do it all - but we can!
- Copy Link
- Report Inappropriate Content
I've just tried to send my Ticket number to @TP-Link as requested, but on this forum I need to be LV2 and I'm only LV1 (having just joined to get the downgrade).
Why is all this stuff made so difficult to do?
As a clue, the ticket was created around 13:42 on 27/11, has at least HS100 in the title and ends 674. Hope this enough to find it.
- Copy Link
- Report Inappropriate Content
@TP-Link It would be very, very helpful to have the TP Link / Kasa direction documented formally on the TP Link site vs this more casual community. Perhaps it's time to add a "for developers" section to your web site? With a formal statement I will hopefully see a path to once again recommend TP Link to my customers.
We pay high attention to every potential security vulnerability.
Good to hear but difficult to believe in this case. This local API has existed for many years - since your product was first released. It is only now being "discovered" and fixed? There's been a pattern lately of manufacturers closing down 3rd party access so they can charge for subscriptions to control our devices. Will you be providing a statement commiting you will not do this?
And We're also planning to push more secure integration in the future before upgrading a more secure local communication authentication method on all Kasa devices.
You plan to break all local 3rd integration before providing a solution? This will put developers like me in the very uncomfortable situation of recommending against Kasa devices and warning existing customers against upgrading firmware.
I urge you to not break the existing 3rd party local access until you have an alternative in place.
At that time, other third-party platforms/applications can integrate with us through our more secure APIs.
When can we expect details? Will you be initiating a developers program? Formally documenting the API? Our requirement is for full local access, ideally without using an opaque library, and definitely NOT a library that requires callbacks to a web based service to obtain authorization for every request. This is what Tuya does and it's not an acceptable solution - and why, despite being more expensive, I previously recommended Kasa over smart life.
- Copy Link
- Report Inappropriate Content
Would be handy if i could update my message to tplink with my id (that I forgot to add). Since im a new user I get
You can send new messages only when you reach LV2.
Im lv0 :-(
(edit LV1 now ive posted this)
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Stewhart Guess we have to post/reply more
- Copy Link
- Report Inappropriate Content
@TP-Link - Yes - please go ahead and update my HS110's with beta firmware.
I cannot reply via private Message as it requires LVL2.
Thank you.
- Copy Link
- Report Inappropriate Content
I had this LV1 problem, but the support guys seem to be clued up and I got a response from my support ticket requesting the 'downgrade'. They ask you to confirm that you want to go ahead with the beta firmware and accept the potential risks.
I told them that I understand the 'risk' of my well managed wi-fi network being compromised by rogue agents of foreign powers turning on and off my Kasa socket controlling lights to send secret encrypted messages via morse code to my neighbours. I'm not sure what other risks there are for a socket.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 6
Views: 6482
Replies: 12