My newest weird conspiracy theory: A lot of those electronic door locks use a backend system which is called the Tuya app. It's an internet based service where you register yourself and your locks so you can "conveniently" control and lock/unlock "your" doors from everywhere. So the Tuya backend is technically able to unlock a lot of doors and it has geolocation data on all of these locks. What could possibly go wrong?
@jwildeboer
Its basically crapware. I got several really cheap smart sockets that I flashed to openbk firmware which removes tuya and adds mqtt. @koehntopp
@byteborg@jwildeboer@koehntopp That sounds interesting as I have a few smart sockets connected to my #HomeAssistant through the tuya ecosystem. Can you expand on how to flash and install firmware?
@koehntopp
No Tasmota, the chips they use are much smaller and cheaper than ESP and the like. Also, you need to solder a temporary 2mm pitch pinheader to the board and wire a programmer to tge board. Software lives here: https://github.com/openshwprojects/OpenBK7231T_App @jelmerdehaas@jwildeboer
@jwildeboer
Interesting. Then it's probably a 40+€ device. Most of the Tuya devices are sub 15€. I'm looking forward to your experiences. @koehntopp@jelmerdehaas
@deavmi It's a SPoF (Single Point of Failure) hiding in the background, IMHO. Highly centralised and run by a company that is still working hard on making break-even, according to their latest investor presentation, where they pride themselves on having drastically reduced expenses, mainly by reducing the workforce AKA firing a lot of people. Source: https://s27.q4cdn.com/751054641/files/doc_presentations/2023/Nov/29/tuya-23q3-presentation_vff.pdf
@lobingera At some point in time a master key leaks and all locks suddenly become a huge security risk. Insurances might refuse to pay when things get stolen from a house "secured" by Tuya. Etc.
A second pillar for the company, providing data for "goods liberation industry".
Technically, if Tuya is not located in one of the special jurisdictions that don't mirror US practice, you do not have an expectacy of privacy for the data stored with them.
Any bored attorney fishing with subpoenas might get the data, state actors, but of course, a digital lock with remote cloud control like that is rather useless.
Funny how the IT old hands are rushing to buy these smart locks.
Sorry that's one of the use cases where even very lazy colleagues tend to want to know beforehand why it's supposed to be secure.
That's not the case of outsourcing corporate security to a 3rd party (where I had in all cases a rough plan how to break in through our new weakness during the initial presentations of the products, but hey it saves money). This is often private.
@jwildeboer@lobingera the problem is not that someone can get in your house. The problem is, you won’t get in your house when the company has gone broke.
Add comment