Tuya: Revised update process hacked again
If you've bought a cheap wifi socket off Amazon, ebay or walmart, you are likely using a disguised Tuya device. Regardless of the hack in December 2018, the manufacturer proves yet again that security isn't that much of a concern for them.
(Bild: dpa, Matthias Balk/dpa)
- Andrijan Möcker
In exchange for a small fee of 1500 US dollars, Chinese manufacturer Tuya offers companies a turnkey smart home product range including branding with just a couple clicks on his page. The service is advertised as "military grade security" and "GDPR compliant", the EU data protection act.
Since Tuya offers everything the average smart home enthusiast is interested in, the service attracted companies worldwide. As the devices and their corresponding apps can have a company specific branding, the actual number of Tuya devices on the market is almost impossible to oversee. Tuya speaks of 93.000 partners with 30.000 products.
Military Nothing
In December 2018 Michael Steigerwald of the IT startup VTRUST demonstrated, that Tuya doesn't take its proclaimed "military grade security" that serious. The security expert explained, that the manufacturer uses a mostly unencrypted provisioning procedure.
Steigerwald wrote scripts to mimic the provisioning procedure and Tuyas Cloud on a local computer. With his mini firmware, he was able to back up the original Tuya firmware and install his own onto the smart home device.
Criminals with technical knowledge could use this flaw to manipulate a large number of devices and resell them in order to gain access to peoples' home networks.
Michael Steigerwald and c't published the Hack in January 2019 under the name of "Tuya convert". A month after the hack was made public, Tuya announced that there would be an update to resolve the issues. Instead of making the update mandatory for all devices, Tuya decided that every company that used the service would have to decide for themselves if they installed the update on their customers devices. Hence the security flaw is still present in many devices.
New Old Procedure
In September 2019 the new provisioning procedure was hacked: Tuya tried to encrypt the connection from the smart home devices to its cloud using a flawed implementation of symmetric TLS encryption (PSK-AES128-CBC-SHA256): When establishing the TCP connection, the device will send a plaintext MD5 hash of its normally hidden "auz_key" to the server. Server and smart home device will then use this hash to calculate the actual encryption key – because the firmware on the device is not encrypted, the developer was able to reconstruct this process by reading the source code and the serial output.
Behind the encryption curtain the provisioning process has remained almost the same: The firmware still accepts the keys for the MQTT encryption as plaintext, just like the update URL. Therefore, a firmware hack remains possible. The firmware file has to be signed, but Tuya made mistakes with that as well: The signature is computed using SHA256 checksum of the firmware file and the "SecKey" which is sent in plaintext during the provisioning process.
Against the Cloud
Diligent GitHub maintainers like Colin Kuebler have since extended the scripts of Tuya convert to support the new (un)safe procedure.
Because of Tuyas poorly implemented new procedure, the risk of potentially harmful devices in circulation remains. But those using the WiFi microcontroller ESP8266/85 can be converted to autonomous cloudless smart home actors in just a few steps. For the scripts and a list of already identified Tuya devices visit the GitHub Repository of tuya convert. (amo)
