Meross security notice

Not sure if anyone else received these emails from Meross recently:

This is meross cloud security team contacting you.

First of all, thanks for choosing meross products and we hope that you enjoy smart life with our smart products.

Recently our cloud security system has noticed that your devices are communicating with the could server at an extremely high frequency. We consider these behaviours abnormal and are concerned about the security of your devices. We believe your devices have been hacked and manipulated since they triggered our safety guard hundreds of thousand times during this week.

Due to the security concerns and the intent to avoid any further potential damage, we will terminate the cloud services of these devices if the abnormal behaviours do not stop. To help you, we suggest you to stop use any third-party platforms other than Alexa, Google Assistant, HomeKit, SmartThings and IFTTT. If you do use third-party platforms such as Home Assistant, we suggest you to downgrade to 1.0.7 immediately.

If you find your cloud service terminated by meross cloud safety guard and you are sure that your devices are safe, NOT hacked, and are performing as expected. Please first lower your periodic request rate to no more than one message every ten seconds and then send an email to [email protected]. We will resume cloud service for you within 24 hours.

For the safety of your devices and personal data, we suggest you to use meross app to manage your devices and DO NOT use any other third-party platforms . Meross can NOT guarantee you these unauthorized platforms do not contain any malware and ransomware codes, nor can we ensure the security of your personal data collected by these platforms. Please note that any abnormal high cloud request frequency will cause cloud service termination again.

Should you have any information you would like to provide us with or you would like to offer us any clarification, please contact us within 24 hours.

Downgrade to HA 1.0.7 what a joke, anyone else got this? Is there a way to control meross locally without messing with tasmota/FW?

Seeing many of these errors in the logs:

2021-09-02 06:56:34 ERROR (MainThread) [meross_iot.manager] An error occurred while executing push notification handling for <meross_iot.model.push.online.OnlinePushNotification object at 0x7f88ff2190>

Anyone else?

I’ve just recently bought one of their plugs and received it today and come across the below. I assume they mean 1.0.7 of albertogeniola’s custom component.

:exclamation: Attention: Update to v1.1.4 or newer version​:exclamation:

Dear users, Meross I recently received a notice from Meross asking to take down versions up to 1.1.4, as they believe there is some sort of bug causing high traffic volumes on their servers. For this reason, all versions from v1.0.7 up to 1.1.4 (excluded) have been temporarely withdrawn from GitHub and HACS. In order to avoid service denial from Meross, you are urged to upgrade to version v1.1.4 or downgrade to v1.0.7 (which was the previously stable version).

Even though this might sound as an ultimatum from Meross, we are finally given the opportunity to collaborate with their security team in order to agree on some MQTT/HTTP rate limits and make sure this HA component works flawlessly. For this reason, I’d really appreciate if you could comply with that request: it would be easier for us to establish a collaborative partnership.

Source: albertogeniola/meross-homeassistant: Custom component that leverages the Meross IoT library to integrate with Homeassistant (github.com)

1.0.7 of meross does make more sense yeah :smile:
I went and deleted the integration and then added it back.
I haven’t seen that error in my logs so far.
I wonder if I should revert back to 1.0.7?

If I’m reading it right, 1.1.4 should be okay? But if you want to downgrade 1.0.7 is the previous known stable version that is not affected. It doesn’t look like it’s been yanked from GH (1.1.4 that is).

I have installed version 1.1.4 and my system crashes completely because of this version.
HA stops several times a day and I have to restart the system.
I have downgraded to 1.0.7 but without success and that’s not really serious.
Now I replaced my meross plugs with zigbee plugs and it’s perfect.

I installed Meross Homeassistant to manage my plugs… than I got the same message related to high frequency queries two days later… Uninstalled the add-on (even if you can limit the frequency in the add-on but you have to enable it). I had also many disconnects with the plugs. Now I am using Meross LAN… No need for the cloud and works great for me and what I have to do with those plugs with energy measurement…

Need to look into the LAN version then…

I’ve installed Meross Cloud IOT 1.1.4 with a couple of mss310’s and everything seems to be working fine (will see how I get on over the next few days).

I had a look at the LAN option, there seems to be a bit outstanding which needs completing so I’ve given it a swerve but I’d be more interested in that option.

I control my meross stuff by having them in Smartthings, and using that integration in HA. Not sure if there’s a downside to this, but I always found the Meross integration (which I check out when there’s a new release) slow to start and introduces a lot of errors into my logs.

I will try the LAN version, my experience with the other version is so bad…
Do you use it through your MQTT broker or directly via HTTP ?

I am using HTTP not MQTT…

1 Like

So v.1.1.4 still broken for me, log filled with:

2021-09-03 13:23:53 ERROR (MainThread) [meross_iot.manager] Timeout occurred while waiting a response for message b'{"header": {"from": "/app/63513-a875b30d4b8c8d85f5a43752ea3bf79a/subscribe", "messageId": "496953a9f2c0aaaec084982215908e97", "method": "GET", "namespace": "Appliance.Control.Electricity", "payloadVersion": 1, "sign": "1142bb73501085a564d2b9ed17b0a10e", "timestamp": 1630671823}, "payload": {"channel": 0}}' sent to device uuid 19010849682057251a1334298f1469fc. Timeout was: 10.0 seconds. Mqtt Host: mqtt-eu.meross.com:443.Global manager stats (last minute): Issued -> 9, Delayed -> 0, Dropped -> 0
2021-09-03 13:23:53 ERROR (MainThread) [custom_components.meross_cloud.sensor] Error occurred.

@browetd I changed to the LAN version and it has been working without problem since yesterday.
No more errors, no more logs … Thank you Didier for this tip

1 Like

Are there any differences in functionality or everything works the same, power values etc?

I have the switches available as well as power values… I was able to incorporate those plugs into the energy dahsboard (meaning that state_class and device_class are correct as well)…

That’s the entities available for one device (wash machine) with the Meross LAN

Ok I have installed Meross LAN via hacs but not seeing how to actually add devices?
On the info page says should be auto-discovered but nothing happened so far.

It also says this: You can also manually add your device by adding a new integration entry and providing the host address.

But if I go to integrations and try add Meross LAN it doesn’t give me any option for IP address:
image
I prefer the http over the mqtt

Anything manual I have to do?

I got the same problem with the meross LAN before to discover that disconnecting the plug and reconnecting it, did the trick.
The device is added to the integration.

Will try it out, thanks for the suggestion :slight_smile: