HermannSW wrote: ↑
Tue Feb 11, 2020 4:46 pm
Typically smart plugs and bulbs need some server infrastructure.
Many use TUYA API which I tried to reverse engineer, but the Smartlife Android app talks encrypted to the devices.
My son has yeelink lights as well, not TUYA protocol, controlled by yeelight app:
https://play.google.com/store/apps/deta ... ght.cherry
Before looking into that I made a need for internet access test for TUYA.
Smartlife app is able to control the smart plug locally (via open port 6668, encrypted) even if I block internet access for smart plug as well as smartphone in my home router, even after removing smart plug from power and powering back in order to kill existing MQTT tunnels to the amazonws server.
Contrary to that, yeelight app cannot control the yeelink light in case one or both are blocked in Router for internet access.
I did a port scan and initially the yeelink light (192.168.178.149) has no open ports.
I did ettercap MITM arp poisoning again on my Pi and catured traffic between light and smartphone (192.168.178.179).
I was surprised to see no traffic at all while turning light off and on, or change the color of the light.
Then I forced yeelight app to close on smartphone, started capturing and started yeelight.
As you can see in Raspberry gimp screenshot of Wireshark, there are only few packets exchanged before any traffic goes over internet (after RST packet). The UDP packets open port 55443 on smart light that was not open before for a single TCP message from yeelight app to light.
From a 12/2018 Chaos Computer Club talk I know that TUYA devices were not safe at that time, because most stuff was tranported in clear allowing MITM extraction of key needed to control the smart device. Now traffic is encrypted, but it is most likely that WLAN password transferred from SmartLife app to smart plug on initial confguration does not only get stored on the plug, but is sent to MQTT server as well ...
My son will move to student dorm soon and take all smart plugs, lights and Alexa with him. At that point I will change WLAN password in my router because it is most likely known to several IOT providers already.