You are here: Home - Household Bills - News -

Smart plug warning from Which?

Written by: Emma Lunn
The consumer group says some smart plugs are open to hackers while others could start a fire.

Smart plugs promise to help people run and monitor a range of gadgets and appliances around the home with their phone.

But some risk exposing sensitive data to hackers or creating a serious fire risk, according to a Which? investigation.

Which? bought 10 smart plugs available from popular online retailers and marketplaces, ranging from well-known brands, such as TP-Link and Hive, to more obscure names such as Hictkon, Meross and Ajax Online.

Working with security consultants NCC Group, experts found 13 vulnerabilities among nine of the plugs. Three of the issues were rated as ‘high impact’ and a further three as ‘critical’ – all of which could pose a major risk to people’s homes.

Which? says the Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed, with the live connection far too close to an energy-monitoring chip.

This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.

Amazon has since taken this smart plug off sale pending an investigation.

Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as thermostats, cameras or laptops.

Which? found this issue emerges when you connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug, available on Amazon and eBay, and Ajax Online plugs, available on Amazon – to a Tuya hub, a commonly used hub for connecting Zigbee devices.

As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes.

Which? found the same issue with the popular Hive Active plug, although the window of opportunity for attack was smaller on this device.

Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.

In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device.

After gaining access to the TP-Link Kasa, available at Amazon, Argos and Currys, the attack itself is straightforward.

Once compromised, the hacked plug could remain on the network undetected, and provide a way in for cybercriminals to mount further attacks on your data and devices. TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams.

Which? says Hive and TP-Link have both engaged positively with the findings. It is also in ongoing talks with Innr while Meross has said it will fix the issue but this could take six months or more.

But it has proved impossible to make contact with representatives of the little-known Hictkon brand. Which? has also contacted Ajax Online about its findings but has not had a response.

Which? believes these latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements.

None of the plugs Which? tested would currently meet these requirements.

The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third party.

Kate Bevan, Which? Computing editor, says: “Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.

“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.

“Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites. In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.”

There are 0 Comment(s)

If you wish to comment without signing in, click your cursor in the top box and tick the 'Sign in as a guest' box at the bottom.

The savings accounts paying the most interest

If one of your jobs this month is to get your finances in order, moving your savings to a higher paying deal i...

Everything you need to know about being furloughed

Few people had heard of ‘furlough’ before March 2020, but the coronavirus pandemic thrust the idea of bein...

Coronavirus and your finances: what help can you get in the second lockdown?

News and updates on everything to do with coronavirus and your personal finances.

What will happen if rates change

How your finances will be impacted by a rise in interest rates.

Regular Savings Calculator

Small regular contributions can build up nicely over time.

Online Savings Calculator

Work out how your online savings can build over time.

Having a baby and your finances: seven top tips

We’re guessing the Duchess of Cambridge won’t be fretting about maternity pay or whether she’ll still be...

Protecting family wealth: 10 tips for cutting inheritance tax

Inheritance tax - sometimes known as 'death tax' - can cause even more heartache for bereaved families. But th...

Travel insurance: Five tips to ensure a successful claim

Ahead of your summer holiday, it’s important to make sure you have the right level of travel cover or you co...

Money Tips of the Week

Read previous post:
fund managers
Woodford investors could wait a year for cash

Investors trapped in former star manager Neil Woodford’s Equity Income fund may not receive the last of their money back...