Sensitive data in Tuya logs

[jimtng]

I have been somewhat reluctant to post TRACE logs here because I am not sure how sensitive it is to publicly post the deviceid/productid/localkey. If such information is sensitive, would it be a good idea to mask/conceal the first N characters in the logs for ease of copy pasting.

I understand that they are needed for actual troubleshooting to match the device, etc, so perhaps it could be made a binding configuration, with the default being masked, and the ability to disable the masking? So the binding config would be something like hideLogIdChars=6 (default), and hideLogIdChars=0 to disable it.

[J-N-K]

That's difficult to implement and TBH I don't see much risk here. The sensitive information is your account information (username, password, access id and access secret).

• The productKey is something like a model identifier, all devices of the same type have the same productKey, that is not sensitive at all.
• The deviceId alone does not allow access to the device from the API if the device is not paired with the cloud project that is used to access the API. This requires the credentials I mentioned above.
• The localKey could be used to control your device, but that requires access to your local network. I believe you are in big trouble then anyway, because the attacker could also use the openHAB UI to control your smart home. Debugging is very difficult without the localKey, because it is impossible to decrypt the messages otherwise.

If you feel more safe, replace the localKey, beside that I don't think that sensitive information is logged at all.