Tasmota

Tasmota is the most common third-party firmware on Sonoff plugs, Wemos devices, and a long tail of Chinese smart-home hardware. Its serial output is extremely verbose — version, build flags, MQTT broker hostname, OTA URL, Wi-Fi connection log — all in plaintext. BootIntel reads it and flags the gaps before they're someone else's network foothold.

What BootIntel detects on Tasmota

Tasmota version — flagged against the changelog for known security fixes. Versions before 13.0.0 have multiple unfixed advisories; we surface the exact gap.
MQTT broker hostname/IP — visible during boot if MQTT is enabled. Leaks the home-automation backplane to anyone reading the UART.
OTA URL — the configured update endpoint. If it's HTTP (not HTTPS) and DNS is hijackable, OTA is a trivial supply-chain attack.
Web UI default password — Tasmota ships with no web password by default; boot output confirms whether one is set.
Telemetry interval — high-frequency reporting on an unauthenticated MQTT broker is an information-disclosure vector.
Wi-Fi SSID visibility — the SSID and any fall-back AP info echo to the console during connection.

What a typical Tasmota boot log looks like

00:00:00.001 HDW: ESP8266EX
00:00:00.039 CFG: Loaded from flash at F8, Count 17
00:00:00.054 QPC: Reset
00:00:00.094 BRY: Berry initialized, RAM used=3854
00:00:00.110 SRC: Restart
00:00:00.114 CFG: Initialized
00:00:00.131 SDB: Source Sonoff Basic
00:00:00.150 ROT: 0
00:00:00.171
00:00:00.171 Project tasmota Tasmota Version 12.5.0(release-tasmota)-2_7_4_9
00:00:00.182 WIF: Connecting to AP1 MyHomeWiFi Channel 6 BSSId BC:F7:1F:01:23:45 in mode 11N as tasmota-living-room...
00:00:01.234 WIF: Connected
00:00:01.245 HTP: Web server active on tasmota-living-room with IP address 192.168.1.42
00:00:01.350 MQT: Attempting connection to mqtt://homeassistant.local:1883 as user "" (no password)
00:00:01.560 MQT: Connected
00:00:01.580 OTA: URL: http://ota.tasmota.com/tasmota/release/tasmota.bin

Example findings BootIntel surfaces

MQTT connected with no auth (CRITICAL on shared LANs) — line 13 connects as user="" with no password. Anyone on the LAN can subscribe and impersonate the device.
OTA over plain HTTP (HIGH) — line 16 fetches firmware from http://ota.tasmota.com. Without TLS, a network MITM can swap the update payload. Tasmota now supports HTTPS for OTA; this device hasn't enabled it.
Tasmota 12.5.0 outdated (MEDIUM) — known DoS issue in the rules engine fixed in 13.0.1. The exact subrelease appears on line 10.
Web UI on 192.168.1.42 with no password mentioned (HIGH) — if no password line follows the HTP startup, the web UI is unauthenticated. Anyone on the LAN can re-flash.

Related reading

ESP32 device guide — the silicon underneath most modern Tasmota devices.
Finding UART Pins on an Unknown Board — Sonoff and Tuya boards have non-obvious UART pads.

What BootIntel detects on Tasmota

Tasmota version — flagged against the changelog for known security fixes. Versions before 13.0.0 have multiple unfixed advisories; we surface the exact gap.

MQTT broker hostname/IP — visible during boot if MQTT is enabled. Leaks the home-automation backplane to anyone reading the UART.

OTA URL — the configured update endpoint. If it's HTTP (not HTTPS) and DNS is hijackable, OTA is a trivial supply-chain attack.

Web UI default password — Tasmota ships with no web password by default; boot output confirms whether one is set.

Telemetry interval — high-frequency reporting on an unauthenticated MQTT broker is an information-disclosure vector.

Wi-Fi SSID visibility — the SSID and any fall-back AP info echo to the console during connection.

What a typical Tasmota boot log looks like

00:00:00.001 HDW: ESP8266EX 00:00:00.039 CFG: Loaded from flash at F8, Count 17 00:00:00.054 QPC: Reset 00:00:00.094 BRY: Berry initialized, RAM used=3854 00:00:00.110 SRC: Restart 00:00:00.114 CFG: Initialized 00:00:00.131 SDB: Source Sonoff Basic 00:00:00.150 ROT: 0 00:00:00.171 00:00:00.171 Project tasmota Tasmota Version 12.5.0(release-tasmota)-2_7_4_9 00:00:00.182 WIF: Connecting to AP1 MyHomeWiFi Channel 6 BSSId BC:F7:1F:01:23:45 in mode 11N as tasmota-living-room... 00:00:01.234 WIF: Connected 00:00:01.245 HTP: Web server active on tasmota-living-room with IP address 192.168.1.42 00:00:01.350 MQT: Attempting connection to mqtt://homeassistant.local:1883 as user "" (no password) 00:00:01.560 MQT: Connected 00:00:01.580 OTA: URL: http://ota.tasmota.com/tasmota/release/tasmota.bin

Example findings BootIntel surfaces

MQTT connected with no auth (CRITICAL on shared LANs) — line 13 connects as user="" with no password. Anyone on the LAN can subscribe and impersonate the device.

OTA over plain HTTP (HIGH) — line 16 fetches firmware from http://ota.tasmota.com. Without TLS, a network MITM can swap the update payload. Tasmota now supports HTTPS for OTA; this device hasn't enabled it.

Tasmota 12.5.0 outdated (MEDIUM) — known DoS issue in the rules engine fixed in 13.0.1. The exact subrelease appears on line 10.

Web UI on 192.168.1.42 with no password mentioned (HIGH) — if no password line follows the HTP startup, the web UI is unauthenticated. Anyone on the LAN can re-flash.

What BootIntel detects on Tasmota

What a typical Tasmota boot log looks like

Example findings BootIntel surfaces

Related reading

Got a Tasmota boot log handy?

Tasmota

What BootIntel detects on Tasmota

What a typical Tasmota boot log looks like

Example findings BootIntel surfaces

Related reading

Got a Tasmota boot log handy?