Security Concerns with Govee Devices - Seeking Solutions and Alternatives (H5072/H5075)

Hello community,

I wanted to bring attention to some security issues I’ve identified with Govee devices, specifically the H5075 model. It appears that these devices broadcast data unencrypted, making it accessible to anyone who installs the Govee app. Even historical data is openly visible. This poses a significant security risk, and I’d like to discuss potential solutions and alternatives.

1. Remote Binding and Home Assistant Compatibility:
   The Firmware allows binding Govee H5075 to an app without physical presence. This renders them unavailable to Home Assistant and may cause issues with functionalities such as thermostat control.

2. Privacy Concerns with Humidity Changes:
   The ease with which one can determine whether someone is at home based on humidity changes raises serious privacy concerns. This information could be exploited by malicious actors.

Is there a way to enhance the security of Govee devices, such as implementing encrypted data transmission or locking down the broadcast to authorized users? If not, are there reliable and affordable alternatives to the Govee H5075 that prioritize user privacy and data security?

Thank you for your time and expertise!
Oliver

The cheap xiaomi BLE sensors allow to run your own firmware with encryption support.

In the Govee App there is a “device safety” setting so that it can only be used by the current account. Not sure if this stops the data being observed outside of the app. Will give it a try and see.

Can I still use the H5075 with Home Assistant when device safety is turned on?

TBH, I never tried it after as you need to create an account to apply it so wasn’t going through an account creation just to try it.

I just created an account in the Govee Home app for testing this; added a H5075; switched on “device safety”, upon which Home Assistant immediately lost access to it. Returned safety to off and the device began updating my dashboard within a few minutes.