No-Name-Smart-Home: Security flaw allows easy firmware upload

Zur deutschsprachigen Version dieses Artikels

They may all carry different brand names, but many cheap Wifi sockets, kitchen appliances and light bulbs are made by one manufacturer – Tuya. Security expert Michael Steigerwald, founder of the IT-Startup VTRUST, has probed the security of the devices and presented his findings at the 35th Chaos Communication Congress, the annual event of the Chaos Computer Club. In collaboration with the German tech magazine c’t he extended the scripts simulating the Tuya cloud, allowing users of Tuya devices to easily install an alternative firmware.

The Chinese company behind the name produces a wide range of home automation products and provides app and cloud services as well, but the devices made aren't just labeled with their logos. Tuya enables other ventures to become a smart home supplier as well by paying just 1500 US-Dollars, no technical expertise required. Creating your own app and product range is only a few clicks away on Tuya‘s webpage. At present, the company claims that over 10 000 companies with over 11 000 individual products use their service.

When it comes to Wi-Fi devices the ESP8266, a Wi-Fi enabled microcontroller by Espressif, can be found on the circuit board quite often. It simply connects to the home's wireless network and talks to the Tuya cloud. Users control the devices using an app, which requires access to the cloud. The sub-manufacturer webinterface shows that Tuya unnecessarily saves lots of data on its customers, for example where a device is (using smartphone GPS when configuring the device) or when it has been switched on or off.

Flawed configuration process

Tuya uses a procedure named smartconfig to get the Wi-Fi and cloud credentials onto devices. The user downloads an app and enables the pairing mode with the device, then enters the Wi-Fi credentials, while the app requests a cloud token in the background. Afterwards both datasets are sent to the connected Wifi network using broadcast packets.

At first blush, this seems like a decent solution: The unconnected Tuya device captures the packets of the surrounding Wifi networks. Because the network is encrypted, it cannot read the payloads of the packets but their length, so the Tuya app encodes the needed credentials using the packet length. But since the protocol is no longer secret anymore, anyone in range of the transmitting smartphone could decode the packets and get ahold of the Wi-Fi credentials.

Just as troublingly, when the Tuya device has successfully connected to the Wi-Fi network, it sends the token to the Tuya server – using unencrypted HTTP. The server replies with the keys used to encrypt the following MQTT communication – again using unencrypted HTTP. While the MQTT payloads are encrypted using AES-128, the MQTT communication itself is not encapsulated in TLS (Transport-Layer-Security).

Although attacking Tuya devices requires some effort, such as being in the right place at the right time, it could be worth it. Once you have captured the cloud token, you are able to replace the firmware on the device and run malicious code in the victims home network.

Another hypothetical scenario has the attacker buying the devices, replacing their firmware with a modified version and returning the devices to the retailer. Once the retailer sends those devices to unsuspecting buyers, they could become part of a botnet or have the attacker accessing sensitive data within their home network.

Cloudless Firmware easily installed

The good news: These findings have a practical, legitimate application for home users, too.Michael Steigerwald and a group of editors at c’t magazine have optimized the scripts presented at the talk, allowing smart home enthusiasts to replace Tuya‘s cloud firmware with an open source version that doesn't require a cloud connection. Instead of using Tuya‘s app, the software recreates the provisioning process on a machine within the users home network. This approach uses a modern Raspberry Pi with a Wi-Fi-adapter to mimic the cloud server.

In the last step, the scripts instruct the device to download the open source ESP firmware Tasmota. Since we suspected a worldwide interest, we decided publish a free article (in English) with a detailed description on how switch out the firmware of your Tuya device. You can also take a look at the code in our GitHub repository. (amo)