Last year, our landlord replaced our IOLite-controlled heating system with standard manual operated valves. Returning to manual control was inconvenient, so I sought a solution, that:

  • Provided similar functionality
  • Integrated seamlessly with Home Assistant
  • Allowed local control for offline use
  • Required no reverse engineering (unlike IOLite)

This led me to the Tado X product line, which colleagues at work highly recommended. Notably, it supports Matter integration, making it an appealing choice.

Setup & Discovery

Setting up Tado was straightforward, After reading this forum article, I opted for the Matter integration, which worked flawlessly after pairing each device with the provided hub. Native Tado X outside of matter is currently limited, but the library maintainers are adding support in the future.

Alongside its native app, Tado provides a Web UI for remote home control via a browser.

Investigating Authentication

Curious about how authentication was handled, I inspected the web application and found that token information was stored in local storage under the key ngStorage-token, Implying the framework in use was AngularJS based leveraging the ngstorage package.

Using jwt-cli to inspect the token didn’t reveal anything unusual. But this raised an important question:

What happens if I change my password?

While JWTs are not inherently revocable, in theory, a password reset should invalidate the refresh token used to issue new tokens.

The Security Flaw

I discovered a flaw in this reset flow, even after a password reset, the refresh token remained valid indefinitely. This means that attackers (or anyone with access to the token) could continue issuing new tokens without the user’s ability to revoke it.

Reporting the Issue

Unfortunately, Tado lacked a dedicated security reporting process. Everything had to go through customer support.

Timeline of Events

  • 31.12.2024 - First contact with customer support regarding the issue.
  • 21.01.2025 - Follow-up on my original security report to find out how it was being handled.
  • 12.02.2025 - Official deprecation of the insecure password flow, announced in the PyTado repo and on Home Assistant, along with migration guidelines and a deprecation timeline.

While it was great to see transparency around the API sunset, the communication process could have been smoother. Better coordination with Home Assistant’s release cycle might have helped minimize disruption for users. Especially considering according to reported stats around 3.4% use this integration and would be affected.

Reflections

When reaching out to Tado’s engineering team directly, I found them to be open and transparent. They acknowledged that they were aware of the weakness had been pushing for a fix for a long time. Their willingness to engage in dialogue was refreshing and encouraging, especially for someone interested in infosec but not an expert in that field.

💡 Props to the engineers for engaging with the community! At no point did I feel discouraged from inspecting the system—on the contrary, I was encouraged to look further.

🚀 Tado, perhaps it’s time to publish an official security policy to make the triage process easier? I’m not expecting some sort of bug bounty program, just a way to easier report security issues directly to the relevant folks.

Further Reading

Buying