IoT light bulb manufacturer, Tuya, responds to security issues
It’s good to see companies are already working to fix the issues.
You’ve probably seen all the articles floating around today about insecure IoT light bulbs. The short version is that credentials like Wi-Fi passwords and the information needed to control the device remotely are saved in plaintext, so they’re easily accessible to anyone with physical access. One of the companies mentioned, Tuya, reached out to us to state that it has been working on fixing the issues found with its light bulbs since the original blog post by Limited Results at the end of November.
Tuya bills itself as a “global ‘AI+IoT’ developer platform,” providing own-branded and OEM rebranded devices, apps, and IoT modules that all run on the Tuya Smart platform. Limited Results found that Wi-Fi credentials, Local Key, and DeviceID were all stored in plaintext on the two light bulb models tested. With Tuya having three types of standardized IoT modules across the 30,000 devices it has, it’s a fair bet that these two light bulbs were not the only affected devices.
Since then, Tuya has completed technical updates for all known issues, stating, “we [have] finished technical updates for all known issues and the Public Software App is now available on Google Play and App Store.” The company has also been working on updating all the customized apps for each of the OEMs that it handles manufacturing for, and there is a timeline for upgrades starting February.
On the hardware side, a spokesperson for the company says that firmware packages with the fixed security issues are ready, and that they “are scheduling a time with all of our clients to work with a specialized Tuya tech complete the upgrade.”
Now, AES encryption is implemented as the standard for all downstream network packets, and TLS encryption is implemented on the new firmware for all communications with Tuya’s Cloud.
One of the biggest issues, the storage of credentials in plaintext, has now been changed with the new version encrypting onboard storage. OTA upgrades will now be signed. This limits the ease of reflashing to run malicious code, although it probably won’t deter the most determined hackers.
All things considered, this is a positive direction from any company after a security hole is disclosed. We’d be happy if all companies behaved this way. Of course, we’d be even happier if security was designed in to start with.
- Facebook has been giving teens money in exchange for their data
- A new massive email breach was uncovered, here’s how to check if you were affected
- Ezviz announces more smart home security devices at CES 2019
- Google just got slapped with a $57 million fine over privacy
- This smartphone has no holes, buttons, ports, or wires