The smart LED illuminant Yeelight A60 has an E27 base, RGBW LEDs and can be controlled via the corresponding Yeelight App and Google Assistant/Amazon Alexa. In our test, we answer the question of the security of the Xiaomi subsidiary’s lighting system.
App
The Yeelight Android App in version 3.1.62 was decompiled and analyzed by our testers. It was noticed that classes containing important program functionality are obfuscated. This effectively makes it difficult for potential attackers to investigate the source code and understand how the app works. Nevertheless, we were able to ensure that the app does not store any login data on the smartphone in unencrypted form. However, the app stores multiple files on the publicly readable storage (SD-Card), although this seems not to be necessary. The data stored includes log files (without sensitive contents) and firmware updates. By storing firmware update files unsecured, there is a risk of manipulation by other apps. This should be solved immediately by the manufacturer.
The iOS App version 3.1.33 has also undergone an analysis, but is identical to the Android App in terms of communication behavior and user interface.
Online Communication
Large parts of the Internet communication of the Yeelight app are TLS1.2 encrypted and thus protected against simple attacks. A certificate pinning is also implemented for the yeelight.com domain – however, this domain is not addressed at all during operation. To control the lighting, the app communicates with Amazon AWS servers, and during the test only with the host’s European servers.
The encryption used protects against simple man-in-the-middle attacks. However, if the attacker were able to install a certificate on the owner’s smartphone, attacks of this type would be possible. With direct access to the device, however, there are of course always extended attack possibilities, which is why we do not rate this fact negatively.
The Yeelight A60 lamp communicates solely via UDP with the cloud servers. A proprietary protocol is used, which is described in detail here. The communication is secured by a dynamically changing part (protection against replay attacks) as well as AES-128bit encrypted payload.
Firmware
The firmware update is downloaded over an unencrypted connection and is itself also unencrypted. It contains several compressed streams and checksums.
Although the XZ streams could not be processed sufficiently, manipulations cannot be ruled out when downloading via http connections.
According to our research, an ESP8266 microcontroller is installed in Yeelight lamps for WiFi connection and control. The firmware can be flashed with the help of existing solder points – but this is not possible without destroying the housing of the Yeelight A60 and is therefore not rated negative.
Local communication
There is no local communication between app and lamp with default settings. In the app itself, however, the feature “LAN control” can be activated in a somewhat hidden point. This enables the unencrypted, local control via third-party software. Examples can be found quickly in the OpenSource area. Although control is only unencrypted in the local network, it is laudable that it must first be activated manually.
Privacy
The Yeelight privacy policy is incorrectly linked on Google PlayStore and leads to the central Xiaomi privacy statement. However, the app itself refers to the correct privacy statement before data is entered. Since a login via the Xiaomi Single Sign-On platform is required, the Xiaomi Privacy Policy is also valid in certain respects.
The Yeelight privacy policy was last amended on 20.09.2018 and explains in an understandable way which information is recorded for which purpose. According to the privacy policy, only absolutely necessary information is recorded. Only the information on storage duration is formulated quite vaguely.
We were surprised that in the course of the test only European servers of Amazon AWS were contacted, but the privacy statement explains that data can also be relocated to data centers outside the current continent, where other privacy laws may apply. With other Xiaomi products, we were used to data storage within the owner’s continent.
The deletion of the Xiaomi and therefore Yeelight account is possible directly in the app. Good job!
What is incomprehensible, however, is the large number of permissions that the Yeelight app requests (e.g. phone, contacts, close other apps) – the privacy policy does not explain the necessity for all of them.
Conclusion
The Yeelight solution leaves our testers with a mixed picture regarding online communication. On the one hand, everyday online communication is completely encrypted and well protected, but the firmware update is downloaded unencrypted. This gives the otherwise secure product a bland aftertaste. With regard to the privacy issue, there are minor detail weaknesses that should be as easy to fix as the problems in the firmware update process.
Due to the existing flaws, the Yeelight A60 luminaire and the associated app are rated two out of three possible stars.