Kasa devices and Home Assistant - Integration now broken due to firmware update
Hello everyone,
I created this post to raise awareness around TP-Link's recent changes affecting Home Assistant users:
https://www.home-assistant.io/integrations/tplink/
Those who use Home Assistant consider it irreplaceable.
Arguably, Home Assistant offers the most complete feature and integration suite vs any competing power user home automation platform today.
It would be in the top right corner if there was a "Gartner Magic Quadrant for Home Automation Platforms".
Some of my personal use cases that were easily build-able because of Home Assistant:
-
I use Home Assistant + my Kasa devices + my continuous blood glucose monitor to wake me up in the middle of the night when my blood sugar levels go low (e.g. turn on my bedroom lamps and lights when my blood sugar is below safe levels).
-
I control all my house fans in the summer per-room with localized temperature sensors in each room of my house
-
I turn my RGB lights red or blue if my insulin is approaching an unsafe temperature (freezing damages insulin).
The recent firmware changes completely break the sole reason I bought my TP-Link Kasa devices.
I fell in love with the Kasa product line's quality, price-point, electrical testing certifications and the open integration with Home Assistant.
Amazon reviews, YouTube videos, podcasts and community posts gave me comfort to invest heavily into the Kasa ecosystem.
With Kasa, I felt confident I would have a rock solid device from a big brand to use with Home Assistant.
I was an early adopter of WeMo and have since passed them on as gifts to others - I can't ask for them back now.
The few WeMos I still have work perfect with Home Assistant.
I've never felt worried about a firmware update breaking how my WeMos integrate with Home Assistant as Belkin understands Home Assistant use cases and the values users get from Home Assistant.
Belkin was victim to typical IoT security anti-patterns (e.g. unsigned firmware updates), but over the years has subsequently hardened their WeMo offering and still allow local control.
Users like myself have invested hundreds into TP-Link products (and my recommendations to friends have resulted in them spending hundreds).
We also (in good faith) allowed cloud connectivity (providing TP-Link with analytics data). I am now blocking all of that cloud connectivity.
Here are some community posts. It's only a matter of time before this gets picked up by HackerNews or another big tech site.
-
https://community.home-assistant.io/t/tp-link-hs110-smart-plug-disappears-after-latest-firmware-update/244229
-
https://twitter.com/TPLINKUK/status/1328687659133399043
-
https://alerts.home-assistant.io/#tplink.markdown
-
https://community.tp-link.com/en/home/forum/topic/236268
I strongly encourage TP-Link to work with the Home Assistant community in good faith to resolve this problem.
Other vendors like Phillips, Belkin WeMo, IKEA, etc. all understand the value of power users pushing the home IoT space forward and have not disrupted the local control capabilities of their products.
Some recommendations:
-
Publish a secure local API for Kasa devices
-
Allow for users at their discretion to opt-in / enable legacy versions of the port 9999 based API / old local control mechanism in the meantime
-
-
Create a more secure implementation of the initial configuration mechanism (e.g. that does not use port 9999)
-
Publish firmware release notes as per industry generally accepted practices
-
Allow for opt-in beta testing of firmware
-
Publish CVEs for vulnerabilities discovered as per industry generally accepted practices
I hope this post raises some more awareness for us Home Assistant users now left with 15+ "broken" devices!
Thanks for reading this!
I've lost sleep over my now broken smart home and am trying to constructively work on a solution!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@drewy It wasn't clear. That's why I asked. I wouldn't have wasted my time asking if it was clear.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi, All, Good day!
Since this firmware would not be released to all the users, only the customers related to the home assistant, so it would be processed directly from TP-LINK based on the MAC address which had been sent to us.
Please make sure that you have created a ticket to the support team or send me a message privately (click the nickname and choose 'message') with the following information:
ticket ID(if you have sent an email already)+TP-Link ID+ model number/hardware version about + MAC address
Thanks a lot for your cooperation and support.
Have a nice day.
- Copy Link
- Report Inappropriate Content
@TP-Link I'm not sure this is the "best" solution. There are many apps using the local API, not just home assistant, presumably you're granting a downgrade for all.
Clearly this is not a sustainable solution.
What's going to happen with the older devices - do we need to refuse any further firmware updates?
What will you do if there's a *real* security problem found - will we be stuck with the security risk on old firmware?
I was able to accept (or not) every firmware update of my devices manually. The first ones didn't even work in the app, you had to release a separate program for it. Did you push this update without asking permission? Why? It scares me just to know this is possible!
I sincerely hope you're going to have a more coherent strategy for firmware updates and an open API than you've presented us here.
- Copy Link
- Report Inappropriate Content
MikeP wrote
@TP-Link I'm not sure this is the "best" solution. There are many apps using the local API, not just home assistant, presumably you're granting a downgrade for all.
Clearly this is not a sustainable solution.
What's going to happen with the older devices - do we need to refuse any further firmware updates?
What will you do if there's a *real* security problem found - will we be stuck with the security risk on old firmware?
I was able to accept (or not) every firmware update of my devices manually. The first ones didn't even work in the app, you had to release a separate program for it. Did you push this update without asking permission? Why? It scares me just to know this is possible!
I sincerely hope you're going to have a more coherent strategy for firmware updates and an open API than you've presented us here.
I totally agree - it looks like this was automatically picked by the community manager as the best solution.
I've re-opened the thread.
The list of recommendations I first posted still stand.
Although positive that it is being given proper attention, further communication updates regarding the long term local control API strategy, security, etc. (and progress updates) are warranted.
- Copy Link
- Report Inappropriate Content
It doesn't even work any more with @TP-Link's own Deco Smart Actions! So it seems like the Kasa engineers forgot to talk to the Deco people, who might have explained how Smart Home devices are supposed to work! But why it still works with Google Home I have no idea...
- Copy Link
- Report Inappropriate Content
@Brook Will there be a firmware downgrade option for the HS200? Or only the 110 devices? Just this morning, I was going to put my TP-Link device into Home Assistant only to find out that a short few days ago, this functionality was disabled due to a firmware update that I wasn't aware was being applied.
- Copy Link
- Report Inappropriate Content
@TP-Link I have 53 tp-link switches...I replaced all my switches at home with tp-link as they supported local control out of the box! What a wasted $1,200+ in a month! I'm so annoyed with tp-link. Can you please update all my switches to enable local control? Removing existing functionality is no solution to fixing the code.
I can send you my account email-id instead of sending a huge list of Mac Ids as you already have it in my account! Please help and let me know a good long-term solution
- Copy Link
- Report Inappropriate Content
Good day,
Thank you very much for all your concern.
The firmware 1.1 was only pushed to HS100/HS110(UK) v4.1, So the US version, EU version, none V4.1, smart switches, bulbs would not be affected.
So for other smart home devices, please make sure they are working fine with Kasa devices.
At the same time, please have a check with Home assistance as well to see whether they have made any changes or not.
Thanks a lot.
- Copy Link
- Report Inappropriate Content
@asnandrey found out about this through Twitter (thank you Troy hunt!). If TP link is going to render the investment of thousands of dollars crippled by their change they leave themselves exposed to a class action suit. Hopefully better ideas will emerge. I also have a LOT of these switches installed, and have integrated them with a variety of local controls. Arbitrary breaking of my install was not something I approved. Will start my ticket? Is that the method? Start a ticket, load a list of mac addresses (seems like a bad idea to publish that??)
asnandrey wrote
@TP-Link I have 53 tp-link switches...I replaced all my switches at home with tp-link as they supported local control out of the box! What a wasted $1,200+ in a month! I'm so annoyed with tp-link. Can you please update all my switches to enable local control? Removing existing functionality is no solution to fixing the code.
I can send you my account email-id instead of sending a huge list of Mac Ids as you already have it in my account! Please help and let me know a good long-term solution
- Copy Link
- Report Inappropriate Content
Information
Helpful: 20
Views: 55846
Replies: 86