search

codetheweb / tuyapi

🌧 An easy-to-use API for devices that use Tuya's cloud services. Documentation: https://codetheweb.github.io/tuyapi.
MIT License
2.04k stars 332 forks source link

Use Insecure Algorithm AES-ECB as Default Encryption Method #643

Closed tianjk99 closed 6 months ago

tianjk99 commented 6 months ago

Please check if there is any problem with using AES-ECB as the default encryption method.

  1. lib/cipher.js, line 51
  2. lib/cipher.js, line 72

This algorithm is known to have significant vulnerabilities that can be exploited by attackers, compromising the confidentiality and integrity of sensitive data. AES-ECB uses a fixed encryption key and does not incorporate an initialization vector (IV). As a result, it produces the same output for identical input blocks, making it susceptible to pattern recognition and exposing encrypted data patterns.

kueblc commented 6 months ago

This library is an interface to an existing product, the developers of this library have no affiliation with the developers of the protocol. Indeed from a security standpoint, it was a poor cipher choice, but this is irrelevant as the protocol is implemented as designed.