ITEAD from Shenzhen (China) sells a series of ESP8266-based smart home products under the Sonoff brand, which is enjoying increasing popularity in the hobbyist community. The ESP8266 is a programmable SoC with WiFi, UART and SPI interface. It can be flashed with any firmware and is therefore suitable for many projects.
For our test we used the Sonoff Basic WiFi Wireless Switch including the original firmware and the corresponding app “eWeLink“.

Setup

For initial setup, the pairing button of the device has to be pressed for 5 seconds. It then opens its own, secure WiFi network, via which it can be paired. After entering the data of the WiFi network to be connected in the future, the Basic Switch is displayed in the app.

Main menu of the app

Online communication

Apart from the setup, there is no direct communication between the app and the Sonoff device, all switching commands are routed via the cloud (Amazon AWS EU).
The connection between the Sonoff switch and the manufacturer’s cloud is TLS1.2 encrypted and therefore well protected. The app communicates identically encrypted with the cloud servers, but after closing the app some unencrypted connections take place, mainly to analysis services of Tencent and Xiaomi.

Xiaomi analysis services

App

After decompiling the app, we found some well obfuscated classes. In the absence of a certificate pinning implementation, the encrypted parts of the web requests are only protected against simple man-in-the-middle attacks. However, a successful man-in-the-middle attack would require the attacker to install a certificate on the user’s device so that the communication can be eavesdropped or manipulated unnoticed.
Important data worthy of protection, such as the WiFi password, is stored in the secure app’s data folder in plain text. However, this does not lead to a devaluation, as this app area can only be read without restrictions on rooted smartphones.
More serious, however, is the detailed log file that the app stores in the public part of the storage (readable by everyone). The plain text log file contains tokens, API keys and also the access data for the Sonoff account.

App log file

Firmware update & hardware

The firmware can be updated via the app. Up to now, developers had also made use of this procedure in order to be able to install their own firmwares on the device. (e.g. SonOTA) This made it possible to install freely available firmware such as Tasmota or EasyESP, which were not part of this test.
With firmware version 1.6.0 available at the time of testing, the firmware update procedure was changed and 3rd party software was excluded from OTA updates.
Another way to install an alternative firmware has been left open or intentionally placed by the manufacturer. After opening the housing, solder points for a serial or FTDI interface are visible, via which the ESP8266 can be flashed directly.

Privacy

Unfortunately, no points can be awarded for privacy, as no privacy statement was available at the time of testing. Only a short description of the required, but also numerous android app’s permissions is available. These go far beyond the necessary functional scope of the app, which leaves the premonition that personal data could be collected and analyzed by Chinese companies.

Android app permissions

Conclusion

The pure functionality of the app and the Sonoff Basic WiFi Wireless Switch is well encrypted and protected against simple attacks. However, the overall impression is severely clouded by the unencrypted communication to Chinese analysis services, the many permissions of the Android app and the detailed log file stored in the public storage area of the smartphone.