← Smart Home
C

Sonoff Smart Home

Notable issues
ITEAD · 🇨🇳 China · WiFi + Bluetooth
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: eWeLink
Manufacturer: ITEAD (Sonoff)

The bottom line

Your light switch command travels from your phone to a server in China and back to the switch on your wall. A light switch. In China. Sonoff has no local-only mode in stock firmware. Every time you turn on a light, the Chinese cloud knows. You can flash Tasmota to fix this — but then you're the IT department for a light switch. eWeLink powers 30+ smart home brands including Sonoff. A security flaw in eWeLink can compromise all of them at once. Researchers found API authentication weaknesses that could let attackers control any device on the platform. Your Sonoff switch shares infrastructure with dozens of brands you've never heard of. One breach, millions of homes.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
0/4 N/A
Can I trust what they say?
ACCEPTABLE Moderate concerns. Standard privacy hygiene applies.
2Contradictions
0Critical
2High
0Medium
2Sources
Findings by concern
Data Sharing 2/4 MODERATE 1 finding
⚡ highmarketing vs third party research
Your light switch command travels from your phone to a server in China and back to the switch on your wall. A light switch. In China. Sonoff has no local-only mode in stock firmware. Every time you turn on a light, the Chinese cloud knows. You can flash Tasmota to fix this — but then you're the IT department for a light switch.

What they claim: Sonoff promotes affordable smart home automation for everyone

What we found: Sonoff devices connect through the eWeLink cloud platform hosted on servers in China. The eWeLink app requires account creation with email or phone, and all device commands route through Chinese cloud servers — even simple on/off commands for a light switch. While Sonoff devices can be flashed with open-source firmware (Tasmota) for local control, the stock firmware has no local-only mode.

Security 2/4 MODERATE 1 finding
⚡ highprivacy policy vs third party research
eWeLink powers 30+ smart home brands including Sonoff. A security flaw in eWeLink can compromise all of them at once. Researchers found API authentication weaknesses that could let attackers control any device on the platform. Your Sonoff switch shares infrastructure with dozens of brands you've never heard of. One breach, millions of homes.

What they claim: eWeLink privacy policy describes standard data collection practices

What we found: The eWeLink platform (used by Sonoff and 30+ other Chinese IoT brands) collects device usage patterns, schedules, location, and network information. Security researchers found eWeLink's API had authentication weaknesses that could allow attackers to control any device on the platform. The shared platform means a vulnerability in eWeLink affects not just Sonoff but dozens of brands simultaneously.

Sources