Internet Connected Lightswitches - Redux!


Regular readers will remember that I have had a disastrous experience with WiFi light switches. I've had pretty good results with LIFX bulbs - but I really wanted something which can control my lights' switches.

Enter the new WisQo smart lightswitches. The company claims that they'll work with the UK's "unique" wiring designs. They've kindly sent me a set to review - adjust your bias filters accordingly.

The good news is they actually work! The bad news is that the app is tedious to use. The good news is they work with Amazon Echo! The bad news is they're fairly insecure!

This review will show you how to fit them, and get them working with your voice assistant. I'll also take a brief look at their lack of security.

For more information, please visit https://www.wisqo.co.uk/

Unboxing

Depending on which kit you buy, you'll get a variety of boxes.

Several boxes of tech, piled up next to each other.

The base kit contains a light switch, a relay, and a WiFi gateway.

A small box with wires pprotruding from it, a light switch, assorted screws, and a manual.

The switches and relay work on 433MHz - I'm not sure what (if any) security they have. Switches need to be paired with relays. Plug the relay into a USB power source, then hold down the reset button until a LED starts flashing. Press your lightswitch and the two should pair. That was the easy part!

The switches are portable - they can be screwed to the wall, or stuck on with the included adhesive. They aren't battery powered though - as per their FAQ:

The switch does not require power supply, it utilizes the kinetic energy from the pressing force.

Nifty!

Installation

Unlike other IoT lighting solutions, you don't need to re-wire your existing switch. The relay needs to be installed in the ceiling rose. Here's mine, before installation.

A mess of wires descending from the ceiling.

The WisQo kit comes with terminal blocks so you can wire in fairly easily. WARNING electricity is dangerous. Make sure that you've turned off the circuit at the consumer unit. If in doubt, get a qualified electrician to help you fit everything.

The WisQo is wired in.

I had more neutral wires than the kit accounted for - but they managed to squeeze into the provided couplings.

There's a handy video in case you get stuck.

Everything wired in just fine - although the relay was slightly too large to fit inside the existing covering. I used the provided sticky pad to keep it flush to the ceiling.

The light assembly is put back together. The WisQo is sticking out of the ceiling.

The white wire is the antenna.

With that done, and my wiring double checked, I turned on the power and was able to use the light switch!

Connecting to the Internet

There's a WiFi-RF gateway which comes with the kit. It is USB powered and fairly small.

A little black box with a stubby antenna on it.

WisQo claim their hub can connect to 200 devices. I don't have that many light switches - but it worked perfectly well with two.

There are no mounting holes, sadly, but it is unobtrusive enough to be tucked away. It's 2.4GHz only, so won't work with your 5GHz networks. It is WiFi only - which I found a bit annoying. I'd have preferred to wire it in to my LAN. As it is, you have to download the app to send it your WiFi credentials.

App

All the boxes have QR codes pointing you to the app.

The QR code leads straight to the Google Play store

The Android app is basic - too basic really - but it doesn't request insane permissions. Once installed, the app is very quick to respond - a tap on the light and it toggles instantly. But, oh! It is a pain to set up.

You may have noticed the QR codes stuck to the relays. These are needed to pair with the app. But first, you need to create an account and sign in.

The login screen to the app, the username is prefilled.

Sometimes you open the app you have to type in a password. Why? My Lifx bulbs and my WeMo switches don't require that level of security. Annoying. The app occasionally crashes on opening. Frustrating when you need to use your lights.

Pairing the relays with the app was tricky - I'm still not sure how I did it. Lots of button mashing. Anyway, you've opened the app, typed in your password, now how do you switch on the light?

First, go to the home that your light switch is in. I'll just be using this in my main home - so a bit of a pain to have this step.
The home screen of the app

Then choose the room your light is in. (I only have one room - why do I need to do this?)
The room page of the app

Here's the light. Is it on or off?
The lightbulb page of the app

Tap it and it changes.
It's hard to see if the light is on from the app

The app works whether you're on WiFi or not. So you can toggle the light switches when you're out of the house.

There's also rudimentary support for timers.

A screen with some very basic controls for setting timers

The app works, but it is slow and annoying to use. Hardware manufacturers find software difficult. If only there was a better way...!

Alexa...

The WisQo works with Amazon's Echo - the smart voice assistant. Personally, I've never seen the use for one. But I guess it would be useful to be able to shout "Computer! Lights!" and have a mechanical slave do my bidding :-)

I picked up the £50 Amazon Dot - I could write a whole blog post about how bad it is - but here's how it works with the WisQo lights.

1. Find the settings page

Tucked away in the Alexa settings is the option to connect "Smart Home Skills".

Smart Home settings page in the Echo app

2. Connect your account

You need to connect your WisQo account to Amazon. This involves going off to a dodgy looking 3rd party page and entering your details.

The user is taken to a page with a confusing URL and unprofessional layout

Is it safe? Who knows?!
Why can't it use the WisQo app to provide authentication? Who knows?!

3. Success

Because you do the account linking in a web browser, you have to close that and return to the app.
A web page saying the set up has been a success
Isn't there an easier way?

4. Discovery

The app presents a button which promises to kick off discovery. It doesn't work.
A button on the app appears - it does nothing

My WisQo account knows all the devices I own - but I still have to manually "discover" them in the Dot's app.
A page in the app telling the user to discover some devices
Again, this is the sort of thing which should just happen automagically.

5. Discovered!

It found them!
Within the app there is a list of devices which have been discovered
Can I use them? Not quite yet!

6. Groups

Scrolling back up the page (seriously - why isn't this in a logical order?) we can add the lights to a named group.
Another page in the app for setting up groups of devices

7. Naming the group

Give several lights one name.
A page to configure all the groups

Now I can say "Alexa, turning on the kitchen lights" and she will obey.

Proof!

Bit of a palaver to set up - but works well enough!

The Alexa Skill is available in English and German. I'm still trying to find out whether I can just bark "Alexa, Kitchen" and have it understand me. The Echo's documentation is poor - there's a lot of trial and error involved to see what commands work.

Cost and Conclusion

A Switch, Relay, and Hub costs £60 on Amazon. You can buy a switch and relay for £36, and a switch by itself for £20.

Those prices are in line with other smart lighting solutions. A single Lifx bulb will be between £30 - £70 depending on which model you want. Similarly, a pair of Philips Hue bulbs and a Hub is around £60.

Lifx and Hue are simpler - just change a light bulb, no rewiring needed. They're bigger companies - so hopefully have decent support and well tested apps. They also work with Alexa, IFTTT, and have open source projects around them.

WisQo works with physical switches - that's its big advantage. Because they're wireless, you can stick them in a convenient location. It also means they'll work if your WiFi goes down, or if your phone is out of battery.

Your existing switch needs to stay in the "on" position permanently to provide power to the relay. I ended up sticking the WisQo switch to the wall above my normal switch.

A regular light switch in the on position. Above it is the WisQo switch stuck to the wall.

It isn't ideal - I might rewire the black switch so it is permanently shorted. Then put a blank face plate on it.

For me, the big advantage is that it wires in to my existing ceiling rose. As you can see, I've got a light which takes 4 bulbs. If I had to replace each bulb with a Lifx, I'd be looking at well over £150! I've got two of them in my kitchen - basically WisQo saves me £300!

Hacking & Security

Of course, it wouldn't be a proper review without some security poking. Here's what I found.

Default passwords

The WiFi gateway asks for credentials before you can use it. On a whim, I tried the trusty "admin" as both username and password - and got straight in!

Admin screen in Chinese

Everything is in Chinese - but there is an English option.

There's nothing particularly interesting - although there is this serial port control screen.

Screen showing various baud rates which can be set

A quick nmap shows that only port 80 is open - that's a good thing!

Nikito thinks that the server is Microsoft-IIS/5.0. I don't think that can be right.

It appears to be running Linux - although no GPL licence was included with the product - that's a bad thing!

The HTML is a bit outdated (marquee tags!) but there are no obvious security flaws.

Reverse Engineering

Digging deeper into the app, we find some very disappointing news.

Email addresses and passwords are sent in the clear! The server returns a token which is used to "authenticate" calls to turn the lights on and off. I couldn't see a clear indication that calls were signed. I'm not sure if it is possible to switch off others' light switches.

It looks like it will be fairly easy to reverse engineer the calls to write your own controller.

The main server appears to be:

public interface Server {
    public static final String host = "47.88.22.30";
    public static final int port = 10100;
}

It appears to be a Linux box (good!) with exposed MySQL ports (bad!) running on Alibaba's cloud infrastructure (good!) but an old version of nginx/1.6.0 (bad!). So a bit of a mixed bunch!

Images from the app are downloaded over http - so there's some information leakage there.

Like most IoT devices, security is very much an afterthought. There's a limit to the amount of damage an attacker can do with access to your light switches (burn out your bulbs? Induce an epileptic fit? Send Morse code?). You also need to install a box on your network which makes a permanent connection to exotic IP addresses.

At the moment, there's no good way to design a network for IoT devices which is simultaneously usable and secure. So sit back and hope they don't get hacked.

Final thoughts

The WisQo smart light switches work very well and are fairly easy to install. The voice control is handy. They're let down by a lacklustre app and poor security.

You can buy WisQo smart lightswitches on Amazon UK.

What do you reckon?