KASA (Android) BUG

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

KASA (Android) BUG

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
KASA (Android) BUG
KASA (Android) BUG
2017-12-29 06:23:16
Model :

Hardware Version :

Firmware Version :

ISP :

Sadly I see no forum for the KASA app so I will post the problem here as I only have smart plugs.


I have observed an annoying bug in the Kasa Android app which has a kind of workaround which isn't great.


1) When plugs are set : remote = on
And I sign out of Kasa then

All plugs go to local mode and can be operated for a time. However,
suddenly they will disappear or if the app is restarted they will not be
there

Workaround: enter settings for plug and it will retain local plugs but
app must not be restarted and you must leave it in the settings of one plug.
NOT GOOD

2) When plugs are set :remote= off
And we sign out of Kasa then

All plugs go to local and can be operated even if app is restarted.

HOWEVER, a) Alexa cannot control plugs anymore

Please fix app so that signing out does not stop local control when
plugs are set to remote=on.

There is no reason why local control should
not operate when signed out, in fact it works fine for a while or as
long as the conditions I mentioned are adhered to.
  0      
  0      
#1
Options
13 Reply
Re:KASA (Android) BUG
2018-01-08 18:13:09
As far as I know if you logout the Kasa account then you couldn't see or control the devices bound to others account. This is for security concern, isn't it right?
  0  
  0  
#2
Options
Re:KASA (Android) BUG
2018-01-09 01:25:29

Anton L.Z. wrote

As far as I know if you logout the Kasa account then you couldn't see or control the devices bound to others account. This is for security concern, isn't it right?


Well firstly it isn't rocket science to write an app that ties the current devices to your account without having to be logged on constantly to a server. It's plain sloppy programming.

Personally I find it more of a security concern that I have to trust my data and network pw to someone else's server 24/7 than any so called security risk from someone unlikely to gain access to my home network which is locked down at mac level.

Secondly if it were secure in its current form and intentionally done the mere fact that I can force it to keep the plugs going in local mode with the workaround shows how "security" minded and "skilled" the software writers actually are.

If tplink were concerned about security then we wouldnt have issues detailed in the following articles below which are of much more concern than any issue of local operation could possibly present and tplink don't appear to address or want to address those any time soon or probably, ever.

https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/

https://www.google.co.uk/url?sa=t&source=web&rct=j&url=https://www.troopers.de/downloads/troopers17/TR17_fgont_-iot_tp_link_hacking.pdf&ved=0ahUKEwjzqfnvg6XYAhXJB8AKHX_7DygQFgggMAE&usg=AOvVaw0xGYQeTCHNgajFWX8f8T1a

Sorry if this comes across harsh but these devices cost 2 to 3 times the competition and one would expect better care and thought for that price
  0  
  0  
#3
Options
Re:KASA (Android) BUG
2018-01-09 01:48:04
Doesn't this come down to you either trust TP Link or you don't? Signing out from their app doesn't necessarily mean the app won't still be contacting their servers, only that you cannot. Turning off remote access doesn't mean the devices will no longer contact the TP Link servers (by all accounts they still do, and they continue contacting servers all over the world to time sync) it only means you can't access them yourself.

If you don't like sharing your info deny the devices access to the internet and find a 3rd party server app to bypass the TP Link servers. Mine for example gives remote access using your google account with proper permissions so you own the entire stack.
  0  
  0  
#4
Options
Re:KASA (Android) BUG
2018-01-09 02:46:50

MikeP_AutomationManager wrote

Doesn't this come down to you either trust TP Link or you don't? .....


Yes well after reading those articles I don't trust them in matters of security. Eg. Encryption is laughable and dead easy to decrypt. So after buying I am now having g to reconsider somewhat.



If you don't like sharing your info deny the devices access to the internet and find a 3rd party server app to bypass the TP Link servers. Mine for example gives remote access using your google account with proper permissions so you own the entire stack.


Didn't know that was possible and not sure how that works. Personally there is a small interest in remoting from outside eg. Nice to turn my coffee machine on 30 mins before arriving home, but I never bought the plugs for that, I wanted Alexa to control them mainly but kasa was needed for that skill to work.

What 3rd party apps work with these? I'll have to look at that angle.
  0  
  0  
#5
Options
Re:KASA (Android) BUG
2018-01-09 05:23:29
Yeah, it's a bit tricky - even to control the switches locally you need Kasa (or an alternative), and if you use any scheduling the tp link devices need access to the internet to keep time sync'd.

If you don't need remote access or scheduling and just want an easy way to turn them on/off you can use my WemoHome app as it always accesses the devices locally - you can use your router's firewall to block them going out. Trying to block and use Kasa locally is a bit tricky.

I also have AutomationManager which you can run as a server to add logging, remote access, scheduling, and other automation & integration while still preventing the device from reaching the internet (which has started to be strongly recommended for IoT devices!).

You can see more by clicking on my name here to go to my guest page. There are other app/methods which I'm sure others will advocate, I recommend mine 'cause it's the best ;).
  0  
  0  
#6
Options
Re:KASA (Android) BUG
2018-01-09 13:17:27
Thanks for the link, didn't realise you had produced an offline app.

I spend a few hours earlier learning how to get the token and device id and use curl to control the switches but this is really just sending the request to the server which doesn't know it's not Kasa.

Your app is worth looking into but I'm guessing that Alexa won't work with it since the skill involved I presume needs some contact with tplink server.

Do you have a trial version?

The more I look at these devices the more I'm convinced the vendors are acting irresponsibly and should be legally bound to adhere to strict privacy and security guidelines. I'm ambivalent as to whether to keep these plugs or toss them in the bin.
  0  
  0  
#7
Options
Re:KASA (Android) BUG
2018-01-10 00:37:06
If you run my server on an android device it can expose the TP Links for local control through alexa so the only cloud is alexa's voice analysis. No skill is required.

I don't have a trial version (other than the java version which is free for on/off control) but I do have a full refund policy, the procedure is the first FAQ on my site. An $8.99 investment to save how much from the bin :)?

To true about the vendors. Hopefully the US & Euro companies are complying with the privacy laws (and can be trusted to avoid bugs and being hacked, belkin for example leaks devices between user accounts). TP Link is a China based company so I'm not sure how privacy laws apply to them... I'm most frightened by the cheap cloud only devices (no local API at all) coming from small unregulated companies - privacy and even device protection is a huge risk.
  0  
  0  
#8
Options
Re:KASA (Android) BUG
2018-01-10 12:11:46
Point taken Mike it's just that I am not sure exactly how your app works. I do as little as possible with Google as I can and it appears that I may need to use Google Drive? I am also unsure about accessing from outside but I can give this idea up for the occasions that I might have wanted to use it.

I am currently talking to Tplink engineers and arguing on their policies. Maybe they will take some notice - I've already pressed for a comment from one of the senior engineers who states this in response to the first link I posted up earlier about the vulnerabilities.

"The mechanism is actually for the possible risk in local communication as the article referred to.
Becasue (sic) not all household could set access control in the router.
And we will have a further check foe(sic) the fllowing(sic) comment:
TLS cloud connection could be intercepted with any valid Symantec EV certificate (only Root CA is checked)
Undocumented configuration and debug service (TDDP)
"


I also took issue with the fact that when I tried to change my email on Kasa (I'd stupidly put one that I wouldn't want to throwaway) I couldn't do it, so I created another account and found there is no way to delete my old account. I insisted and get this , in order to fob me off they said they couldn't delete the account because it was "hardware coded". After insisting that I talk to someone higher up they are in the process of deleting it but this is just another thing that bugs me - who does that? Almost every service that you may sign up for will give you a way to delete your account. Not Tplink though - create an account and it's there for life.

I agree with your comment on the cheaper devices, it is why I decided to pay more for the tplink and hence my disappointment but I'm sure I'd be horrified by the glaring problems on the cheaper devices.
  0  
  0  
#9
Options
Re:KASA (Android) BUG
2018-01-10 13:03:47
What my app does is use local device APIs (I won't ever integrate a device with a cloud only API). Then what I've done is leverage the android OS to provide additional function and automation. All of them then show up in my app as managed devices. So the way it works is as a central hub running a rules engine using the android OS for things like current time, schedules, etc. and talking directly to each device. Remote access is provided either directly over an encrypted connection (best choice if you know how to configure your router). And (or actually) an easier method to set up that uses the google cloud via the google drive API (which means you own your & control your data - not me - the opposite of what TP Link does). Google drive is integrated with IFTTT that is in turn available from alexa and google assistant. There is a java version of the server that'll run on most anything but unfortunately no android so no google integration.

I think that TP Link response has really hit on the risk :). Their target market is users who don't know how to configure a router so won't know how to protect themselves... Then (with all due respect to the TP Link engineers) between the language and the cultural barriers they're going to struggle with understanding why we're concerned... If they care at all - it's a powerful position to have a bridge into everyone's local network. Because of course the real goal of IoT cloud vendors is control. We know amazon doesn't want to make our fridge smart to help us live better, they want to make it smart so that it'll be easier to order milk from them (hence wholefoods and more)...
  0  
  0  
#10
Options
Re:KASA (Android) BUG
2018-01-11 07:39:03
OK so I can set up the router if I know what to do exactly. I'd prefer not to sign up for Google drive unless it is without giving them more of my details than they already have.

The android device as server seems to be the weak link here .ie. devoting an old redundant device plugged into mains to keep it online all the time.
Alternatively I have a qnap nas which would be ideal as that is always running, or perhaps I could use a raspberry pi. The qnap does support vm so perhaps it can run a version of android, I don't know if that is possible?
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 2495

Replies: 13

Related Articles