Tuya security concerns in the news

Before I even start, no, I don’t care if some analyst in Beijing knows that I just turned on my holiday lights. With that said, I’m curious about the community’s feelings regarding some of the pretty alarming nuggets floating around in the news lately. From what I’ve seen the HA community is quite security-minded, and many folks won’t use integrations with cloud connections; I applaud those efforts but don’t have the technical know-how to pull it off and thus rely on a number of cloud-based integrations.

The polar opposite of the non-cloud-connected instance of HA may be the Tuya integration which on our website is said to be used by 14% of active installations. To quote this article from The Hill:
A recent investigation by cybersecurity firm Dark Cubed found that Tuya-powered devices “had at least one network connection to servers based in China … failed basic security checks … provided complete visibility into private images to anyone in the network … [and] are woefully insecure and sending data to China.” In other words, Tuya may well be funneling the information picked up on home security cameras and connected health devices — just to name two examples — back to Beijing.

I’m not just pointing the finger at Tuya; there are all sorts of examples of vulnerabilities in the IoT being exploited, like the 2016 the Mirai botnet attack. A version of this that could exploit our system is that a bad actor wants to interrupt a region’s power grid, so they turn everyone’s connected thermostat up at the same time.

So, as enthusiasts (and many of us experts) with respect to the IoT, do we as a community bear a responsibility to attempt not to increase the overall potential attack area available to ner-do-wells? At a very minimum the devs could publish caveats with suspect integrations like Tuya.

1 Like

Way, way above my pay grade.

I’ve always wondered about my privacy footprint and how vulnerable it is. I’ve made some efforts in reducing my exposure, but… Some would say using any products or services from any of the “big” players (Amazon, Google, Microsoft, etc…) increases that exposure.

I think proper security is a very difficult thing to achieve for folks like me, but the less you’re exposed (products used) the better off you should be.

Here’s a Devil’s advocate play. Would it disturb you if it was sending data to Iceland or the US instead?

There are some severe drawbacks of cloud based devices. One is the security aspect, you don’t know what information is sent to the service and what they are doing with it. Furthermore as these devices are directly interfacing with the internet, you depend on the quality of their software to secure your installation from intrusion. Apart from security there is also the risk that the cloud provider goes out of business or decides that it does not want to support your device anymore. Leaving you with an inoperable device.
Building your own infrastructure takes some effort and most of all a lot of study. Over the past two years I have grown my home automation installation to an Ubuntu server running Home Assistant with some 42 devices interfacing via MQTT, 21 433MHz devices interfacing via RfxCom and 12 security camera’s nearly all interfacing via ONVIF. The MQTT devices all are ESP8266 or ESP32 based and are all running the open source Tasmota software. 22 are Tuya or Shelly devices that I flashed with the Tasmota software so they are no longer running the vendors software or accessing cloud services. The remaining 20 are DIY devices that I built myself. The DIY projects are all sensors or bridges to heating, alarm, irrigation systems etc. The Tuya and Shelly devices are mostly for lights and plugs. Mains voltage on prototype boards with amateurishly soldered connections are not a good combination. That said, it becomes increasingly difficult tot convert the Tuya devices to Tasmota, so I will have to build future expansions for lights and plugs myself.

In terms of hours spent, the installation is hideously expensive in money spent not so much, mostly cheap Chinese imports. But the hours do not matter much as I am a pensioner with a lot of free time during a corona pandemic. It sure helps to have some background in ICT (50+ years in my case) or electronics, but with some study and experimenting you can get quite far.


US, definitely. Iceland, not so much.


Well said Frans.

I try to be realistic about security. I’m more worried about my devices being recruited into a bot-net army than someone hacking in to turn my lights on and off.

I just want to add that there are plenty of local options to use with HA. Frans mentioned Tasmota, and there’s also ESPHome, which I’m really starting to like for DIY devices. Easier still are off-the-shelf devices using Z-Wave and Zigbee. These create their own local mesh network; no WiFi vulnerabilities or vendor middleman at all.

I avoid buying any devices which require manufacturers’ cloud solutions. Sometimes a WiFi device can be set up using their cloud, then connected locally. After that, it’s possible to block the device in the router so the manufacturer can’t access it or push a firmware update. I’ve done this with my old TP-Link and BroadLink devices, but this is getting harder to do as manufacturers exert tighter control over their devices.

It doesn’t really matter, does it? The data can always be sent elsewhere later on. Like Frans said, we don’t know what any cloud provider does with that data.

Exactly, which is why I think we should flag integrations that are suspect. Our devs don’t even maintain the Tuya integration- Tuya does!

And that’s the point, where the consumer his own responsibility kicks in… Afraid of all that? Start thinking about this on the moment, when browsing AliExpress and seeing the super cheap Tuya stuff. Do not click on add to basket. Find a product, that does respect your privacy. Pay a bit more.
Or add it to the basket, pay less, be happy with it and accept everything, that came with YOUR choice… :slight_smile:

i wished i could still re-flash them with tasmota/esphome, that was cheap AND safe :yum:

That is why I don’t buy WiFi based Tuya devices anymore. You never know if it still contains an ESP.

Unless they can be opened up easy enough and chip-swapped to an ESP running ESPhome. I’ve done that to 4 devices in the last couple of weeks.

Swappa Toooyuhhh is the BEST For-Yuh!


I used to buy Tuya, thankfully I didn’t buy many. I’ve notoced lately the price-point difference between Tuya and Zigbee devices has disappeared.

I no longer buy Tuya and the few that I had have been retired.

What drove me to Tasmota was when ewlink/ IFTTT started charging for devices that I thought I had already paid for. Wasn’t the delay bad enough in switching things on but they wanted mo’money. Anyway a year and a half down that rabbit hole I am thankful to them for the learning experience. My soldering has improved and my personal satisfaction has gone thorough the roof. It’s the journey not the destination. Got to learn stuff from people like @digiblur …etc . Kept me out of trouble during COVID times.

1 Like

Everyone has to decide for themselves whether they should use Tuya or not. To me, the answer is a big YES. They are cheap, reliable, and cover many many different types of smart home devices. My only suggestion is they should setup some datacenter in US so my latency could be lower.

Some people may argue about the data being sent to China, but honestly is it worse than being sent to Amazon/Facebook/Google/etc. which eventually ends up in NSA database? If you are really concerned about that, there are many non-cloud devices on the market, but you’ll have to pay more.

With that being said, here are some precautions I took:

  1. All Tuya always-on devices(plugs, light bulbs) are controlled by localtuya, and their access to public network is banned on the router
  2. All Tuya non-always-on devices(like PIR sensor, water leak sensor, temperature sensor, etc.) connects to a single SSID whose network is isolated from the main one.

Hope these can help

1 Like

Does everyone live in the USA…? :man_facepalming: Want less latency, don’t use cloud based devices.

Allegedly the data center for the US is in the US, but as has been covered who knows what happens after that data goes there. I’m more worried about back doors into our devices.

1 Like

I’m not saying everyone has to live in US. If you have any knowledge about how global networks works, you’ll know that adding more data center in US has no impact on the speed of people in other continents/countries. Tuya devices (ideally) always talk to the nearest data center.

Interesting. When I setup my first Tuya devices years ago I did a sniffing in the router and the device was connecting to an IP in China. Good to know that they’ve built data center in US, or more likely rent machines from AWS😂

If you want to avoid soldering, it is rather easy to build a plug from this module ESP8266 ESP 12F Relay Module AC 90 250V DC 12V WIFI Relay Switch Module ESP 12F Remote Control for Arduino Smart Home|Relays| - AliExpress. They have them in 1, 4 and 8 channel versions. Oddly enough, I can’t find a 2 channel version.

1 Like