Tuya - The Chinese IoT Behemoth

As the popularity of smart devices continues to grow, and consumers increasingly expect these connected features in their gadgets, there are many more brands looking to make their products smart. Whether they are established brands with no IoT capability, or fly-by-night operations trying to cash in on the boom, Chinese company Tuya saw a demand needing to be met.

Making smart devices requires significant investment in research and development, cloud infrastructure, software engineering and hardware design. Many bespoke smart devices are therefore quite expensive, at least the good ones that work reliably. Tuya decided to fill the gap to allow many more companies to create these types of devices by offering an end to end platform service that covers all of those costly elements in one convenient package.

Companies signing on the the Tuya platform can create smart devices for a fraction of the cost, and be up and running with a market ready device in no time. Tuya provides the electronic components, the cloud services, software, and even a custom branded smartphone app.

As a result, Tuya-based devices tend to be the cheapest ones on the market. That can be a benefit to consumers, but also a curse. While the Tuya provided parts of the product are well established and reasonably reliable, you’re still left with the potentially half-baked hardware quality, and with the many cheap mass market brands, little to no support. Buyer beware still applies, and there are plenty of reputable brands using the platform as well.

Tuya Background

Started in 2014, Tuya began as a start-up seeking and receiving investment funding to produce their first WiFi module in 2015. With steady growth further B and C round funding was received in 2017 and 2018, respectively, along with several innovation and smart tech awards.

In 2019 Tuya expanded into industry IoT solutions across 6 sectors and received further investment through 2020, finally becoming a listed stock on the New York Stock Exchange in 2021.

By this point Tuya had their technology in over 410,000 products with 384,000 developers signed up across 220 countries. Estimates put the number of individual Tuya-powered devices at over 100 million worldwide, including security systems, surveillance cameras, manufacturing, and supply chain systems.

Privacy and Security

Being a Chinese based company that uses cloud servers to control your smart devices, it is fair to be concerned about what data is being stored and where. Tuya uses several regional data centers in order to comply with varying data privacy laws in different jurisdictions, and they claim that those data centers are independent and not connected back to China.

When working with the Tuya platform it is certainly apparent that failing to select the correct data center when trying to retrieve device information yields nothing at all, but it’s not clear how much of this is a hard segregation or just a software filter. This particularly important given Chinese laws requiring companies, both private and state controlled, to provide the government access to user data.

Questions about how deep these ties run was behind an international backlash against Huawei in recent years, but has oddly Tuya’s stock market listing has not produced the same concerns. There are rumblings from some analysts, however, that the US and other western governments should be regulating Tuya’s activities more strongly.

An anaylsis by cybersecurity firm Dark3 (Dark Cubed) points out that Tuya owns the end-to-end data chain, and there’s no way of knowing what they are doing with that data once it enters their systems. Furthermore, the various apps that each brand provides with their devices, altough based on Tuya’s framework, can vary significantly in app permissions, embedded tracking tools, and connections to other third party services.

You can somewhat mitigiate this unknown by only uses Tuya’s own Smartlife app, which will work with all Tuya based devices regardless of branding. It’s not a perfect solution, but at least it’s a single known quantity.

There hasn’t been much scrutiny of individual devices using Tuya’s platform, but there have been some noted security concerns with encryption of data in transit, and the storage of passwords on the devices themselves. These can be issues with the device maker, or with Tuya, so there is a lot of potential for problems given the number of brands involved.

These issues have given rise to significant improvements on Tuya’s end, with significant updates to the overall security implementation, and the introduction of third party security audits. The cloud platform currently holds no less than 6 security certifications, which is worthy of note given most major smart home brands don’t hold any.

Using Tuya devices offline

Many smart home enthusiasts (myself included) advocate for local control of our smart devices specifically to avoid concerns about privacy and data control. It is still widely common for many smart home brands to use cloud-based servers to manage device control, analytics and remote access for their smartphone apps.

Tuya devices are designed to only function in this way, but some of the less consumer focused platforms can get around this by extracting the device keys from the Tuya platform and using them to communicate directly. Once done the devices’ access to the internet can be completely blocked at your routers without impacting their functionality.

Doing this means only the basic account details and device setup data are on Tuya’s systems, and it also means you don’t need to use Tuya’s app (or anyone else’s) to control your devices, only the one for your smart home hub.

So, Should you use Tuya devices?

Tuya’s commitment to security and privacy has come a long way in the last few years, and the certification by major third party security firms makes it hard to dispute that. The real question comes back to the commitment of the many device makers that use Tuya’s platform, both in their build quality and their unpublicized use of third party services and trackers.

Tuya’s own international data segregation is also unclear. Does the Chinese government still have the ability to demand access to data stored outside of China?

These questions make me wary of endorsing Tuya products, but the use of local control options for those with the platforms and technical known how to pull it off go along way to mitigating these concerns.

It’s also certainly the case that some regions may not offer many alternatives for specific device classes. In those cases you’ll have to consider what kind of data the device can collect, how critical it is to your home, and what the implications of losing control of the data or the device would be. I would certainly stay away from any camera products, for one.