Smart plug warning from Which?
Smart plugs promise to help people run and monitor a range of gadgets and appliances around the home with their phone.
But some risk exposing sensitive data to hackers or creating a serious fire risk, according to a Which? investigation.
Which? bought 10 smart plugs available from popular online retailers and marketplaces, ranging from well-known brands, such as TP-Link and Hive, to more obscure names such as Hictkon, Meross and Ajax Online.
Working with security consultants NCC Group, experts found 13 vulnerabilities among nine of the plugs. Three of the issues were rated as ‘high impact’ and a further three as ‘critical’ – all of which could pose a major risk to people’s homes.
Which? says the Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed, with the live connection far too close to an energy-monitoring chip.
This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Amazon has since taken this smart plug off sale pending an investigation.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as thermostats, cameras or laptops.
Which? found this issue emerges when you connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug, available on Amazon and eBay, and Ajax Online plugs, available on Amazon – to a Tuya hub, a commonly used hub for connecting Zigbee devices.
As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes.
Which? found the same issue with the popular Hive Active plug, although the window of opportunity for attack was smaller on this device.
Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.
In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device.
After gaining access to the TP-Link Kasa, available at Amazon, Argos and Currys, the attack itself is straightforward.
Once compromised, the hacked plug could remain on the network undetected, and provide a way in for cybercriminals to mount further attacks on your data and devices. TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams.
Which? says Hive and TP-Link have both engaged positively with the findings. It is also in ongoing talks with Innr while Meross has said it will fix the issue but this could take six months or more.
But it has proved impossible to make contact with representatives of the little-known Hictkon brand. Which? has also contacted Ajax Online about its findings but has not had a response.
Which? believes these latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements.
None of the plugs Which? tested would currently meet these requirements.
The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third party.
Kate Bevan, Which? Computing editor, says: “Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites. In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.”