Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 14 of 14
  1. #1

    KASA (Android) BUG

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    Sadly I see no forum for the KASA app so I will post the problem here as I only have smart plugs.

    I have observed an annoying bug in the Kasa Android app which has a kind of workaround which isn't great.

    1) When plugs are set : remote = on
    And I sign out of Kasa then

    All plugs go to local mode and can be operated for a time. However,
    suddenly they will disappear or if the app is restarted they will not be

    Workaround: enter settings for plug and it will retain local plugs but
    app must not be restarted and you must leave it in the settings of one plug.

    2) When plugs are set :remote= off
    And we sign out of Kasa then

    All plugs go to local and can be operated even if app is restarted.

    HOWEVER, a) Alexa cannot control plugs anymore

    Please fix app so that signing out does not stop local control when
    plugs are set to remote=on.

    There is no reason why local control should
    not operate when signed out, in fact it works fine for a while or as
    long as the conditions I mentioned are adhered to.

  2. #2
    As far as I know if you logout the Kasa account then you couldn't see or control the devices bound to others account. This is for security concern, isn't it right?

  3. #3
    Quote Originally Posted by Anton L.Z. View Post
    As far as I know if you logout the Kasa account then you couldn't see or control the devices bound to others account. This is for security concern, isn't it right?
    Well firstly it isn't rocket science to write an app that ties the current devices to your account without having to be logged on constantly to a server. It's plain sloppy programming.

    Personally I find it more of a security concern that I have to trust my data and network pw to someone else's server 24/7 than any so called security risk from someone unlikely to gain access to my home network which is locked down at mac level.

    Secondly if it were secure in its current form and intentionally done the mere fact that I can force it to keep the plugs going in local mode with the workaround shows how "security" minded and "skilled" the software writers actually are.

    If tplink were concerned about security then we wouldnt have issues detailed in the following articles below which are of much more concern than any issue of local operation could possibly present and tplink don't appear to address or want to address those any time soon or probably, ever.



    Sorry if this comes across harsh but these devices cost 2 to 3 times the competition and one would expect better care and thought for that price

  4. #4
    Doesn't this come down to you either trust TP Link or you don't? Signing out from their app doesn't necessarily mean the app won't still be contacting their servers, only that you cannot. Turning off remote access doesn't mean the devices will no longer contact the TP Link servers (by all accounts they still do, and they continue contacting servers all over the world to time sync) it only means you can't access them yourself.

    If you don't like sharing your info deny the devices access to the internet and find a 3rd party server app to bypass the TP Link servers. Mine for example gives remote access using your google account with proper permissions so you own the entire stack.

  5. #5
    Quote Originally Posted by MikeP_AutomationManager View Post
    Doesn't this come down to you either trust TP Link or you don't? .....
    Yes well after reading those articles I don't trust them in matters of security. Eg. Encryption is laughable and dead easy to decrypt. So after buying I am now having g to reconsider somewhat.

    Quote Originally Posted by MikeP_AutomationManager View Post

    If you don't like sharing your info deny the devices access to the internet and find a 3rd party server app to bypass the TP Link servers. Mine for example gives remote access using your google account with proper permissions so you own the entire stack.
    Didn't know that was possible and not sure how that works. Personally there is a small interest in remoting from outside eg. Nice to turn my coffee machine on 30 mins before arriving home, but I never bought the plugs for that, I wanted Alexa to control them mainly but kasa was needed for that skill to work.

    What 3rd party apps work with these? I'll have to look at that angle.

  6. #6
    Yeah, it's a bit tricky - even to control the switches locally you need Kasa (or an alternative), and if you use any scheduling the tp link devices need access to the internet to keep time sync'd.

    If you don't need remote access or scheduling and just want an easy way to turn them on/off you can use my WemoHome app as it always accesses the devices locally - you can use your router's firewall to block them going out. Trying to block and use Kasa locally is a bit tricky.

    I also have AutomationManager which you can run as a server to add logging, remote access, scheduling, and other automation & integration while still preventing the device from reaching the internet (which has started to be strongly recommended for IoT devices!).

    You can see more by clicking on my name here to go to my guest page. There are other app/methods which I'm sure others will advocate, I recommend mine 'cause it's the best .

  7. #7
    Thanks for the link, didn't realise you had produced an offline app.

    I spend a few hours earlier learning how to get the token and device id and use curl to control the switches but this is really just sending the request to the server which doesn't know it's not Kasa.

    Your app is worth looking into but I'm guessing that Alexa won't work with it since the skill involved I presume needs some contact with tplink server.

    Do you have a trial version?

    The more I look at these devices the more I'm convinced the vendors are acting irresponsibly and should be legally bound to adhere to strict privacy and security guidelines. I'm ambivalent as to whether to keep these plugs or toss them in the bin.

  8. #8
    If you run my server on an android device it can expose the TP Links for local control through alexa so the only cloud is alexa's voice analysis. No skill is required.

    I don't have a trial version (other than the java version which is free for on/off control) but I do have a full refund policy, the procedure is the first FAQ on my site. An $8.99 investment to save how much from the bin ?

    To true about the vendors. Hopefully the US & Euro companies are complying with the privacy laws (and can be trusted to avoid bugs and being hacked, belkin for example leaks devices between user accounts). TP Link is a China based company so I'm not sure how privacy laws apply to them... I'm most frightened by the cheap cloud only devices (no local API at all) coming from small unregulated companies - privacy and even device protection is a huge risk.

  9. #9
    Point taken Mike it's just that I am not sure exactly how your app works. I do as little as possible with Google as I can and it appears that I may need to use Google Drive? I am also unsure about accessing from outside but I can give this idea up for the occasions that I might have wanted to use it.

    I am currently talking to Tplink engineers and arguing on their policies. Maybe they will take some notice - I've already pressed for a comment from one of the senior engineers who states this in response to the first link I posted up earlier about the vulnerabilities.

    "The mechanism is actually for the possible risk in local communication as the article referred to.
    Becasue (sic) not all household could set access control in the router.
    And we will have a further check foe(sic) the fllowing(sic) comment:
    TLS cloud connection could be intercepted with any valid Symantec EV certificate (only Root CA is checked)
    Undocumented configuration and debug service (TDDP)

    I also took issue with the fact that when I tried to change my email on Kasa (I'd stupidly put one that I wouldn't want to throwaway) I couldn't do it, so I created another account and found there is no way to delete my old account. I insisted and get this , in order to fob me off they said they couldn't delete the account because it was "hardware coded". After insisting that I talk to someone higher up they are in the process of deleting it but this is just another thing that bugs me - who does that? Almost every service that you may sign up for will give you a way to delete your account. Not Tplink though - create an account and it's there for life.

    I agree with your comment on the cheaper devices, it is why I decided to pay more for the tplink and hence my disappointment but I'm sure I'd be horrified by the glaring problems on the cheaper devices.
    Last edited by louiscar; 01-10-2018 at 04:14.

  10. #10
    What my app does is use local device APIs (I won't ever integrate a device with a cloud only API). Then what I've done is leverage the android OS to provide additional function and automation. All of them then show up in my app as managed devices. So the way it works is as a central hub running a rules engine using the android OS for things like current time, schedules, etc. and talking directly to each device. Remote access is provided either directly over an encrypted connection (best choice if you know how to configure your router). And (or actually) an easier method to set up that uses the google cloud via the google drive API (which means you own your & control your data - not me - the opposite of what TP Link does). Google drive is integrated with IFTTT that is in turn available from alexa and google assistant. There is a java version of the server that'll run on most anything but unfortunately no android so no google integration.

    I think that TP Link response has really hit on the risk . Their target market is users who don't know how to configure a router so won't know how to protect themselves... Then (with all due respect to the TP Link engineers) between the language and the cultural barriers they're going to struggle with understanding why we're concerned... If they care at all - it's a powerful position to have a bridge into everyone's local network. Because of course the real goal of IoT cloud vendors is control. We know amazon doesn't want to make our fridge smart to help us live better, they want to make it smart so that it'll be easier to order milk from them (hence wholefoods and more)...

  11. #11
    OK so I can set up the router if I know what to do exactly. I'd prefer not to sign up for Google drive unless it is without giving them more of my details than they already have.

    The android device as server seems to be the weak link here .ie. devoting an old redundant device plugged into mains to keep it online all the time.
    Alternatively I have a qnap nas which would be ideal as that is always running, or perhaps I could use a raspberry pi. The qnap does support vm so perhaps it can run a version of android, I don't know if that is possible?

  12. #12
    See, I think it's the pi's that are old and redundant, the android has lots of things the pi doesn't have like a backup battery and a built in touch screen, plus access to all of the cool google services .

    The rule engine can run on anything that supports java - linux/windows/mac, so it'll probably run on your NAS and it does run on a pi. For setting up the rule engine and for remote access even through your router you need the android version (it's how I manage licensing), but it'll run in an emulator as a client to manage the server or as the server if the emulator has Google Play and GMS.

    Google Drive comes as part of your google account (which you get when you have gmail and you need to get the app itself from Google Play) so I'm pretty sure there's nothing more to set up once you're in that deep...

  13. #13
    The pi is far from redundant, it has no battery so needs no backup although it's not hard to rig a battery pack up. Touch screen can be added so to be fair it may not be ideal for something that relies on androiD services but it was designed for education and has a huge variety of applications it can be used for. It all depends what you use it for, but redundant? Hell no.

    As for android devices, they are designed to remove control from the user so Google can have their way with your data unless you root them and something I get annoyed about is the distinct LACK or battery backup. Devices now come with embedded batteries, then that dies so does your fancy 600.00 phone.

    Thankfully I still have one of the last Samsung phones with replaceable batteries.
    Last edited by louiscar; 01-11-2018 at 17:49.

  14. #14
    I meant redundant as tongue in cheek, teasing back to your comment about the android device as the weak link... Sure, for people who prefer linux the pi is a fine choice. Kind of expensive though, esp when you add the battery, touch screen, and power. An android phone with all that is < $30 from bestbuy and the battery is replaceable if it's ever necessary (I have automation for safer charging). Either will work with my app.

    One advantage is that same android device can then be used as a central console for home automation - my app has a pretty comprehensive set of widgets for single touch control. As well such a device can display time, weather, calendar/schedule, thermostats, cameras, security system, etc, all of which can be customized and the device itself can be upgraded as they improve. For example I have tablets upstairs and downstairs for easy access including touch and voice - they respond to google assistant commands as well. Old phones are good as replacement switches - I've one in the kitchen that's converted a single switch for 4 lights into a customized display now with 4 separate widget for each light.

    The pi is excellent for automation and you have more direct control over it than the constrained android environment, but it does need extras to make it really convenient and more skill to setup.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2018 TP-LINK Technologies Co., Ltd. All rights reserved.