Reclaim Your Data: Freeing a Wi-Fi Sensor from the Cloud

&gt; If the device was validating the server certificate, it wouldn’t make it this far, so that shows that our certificate was accepted.<p>One more very good reason for preventing requests to &quot;the cloud&quot;.<p>However, I find it funny that the lack of proper certificate validation (which is a security issue in principle) is a pre-requisite for the &quot;de-cloudification&quot; process.

IoT devices should come with at least a QR code to the documentation for the API, to be able to write our own backends. In that way they would sell the hardware, not the data of the people that installed those devices at home.

There&#x27;s another thing not mentioned. From the payload it looks like one may be able to spoof other customers&#x27; sensors by altering the serial (maybe it&#x27;s a contiguous number) and replay the request. Heck, it is just one &quot;curl -X PUT -d ...&quot; command away, the info is all in the article

Would it still be possible to get at the data and disable connection to the actual cloud service if the device did check the certificate properly?

I remember reading somewhere that this is how Valetudo works, like a mitm on a rooted robot vacuum.