Smart plugs for sale at a wide range of retailers, including online marketplaces, risk exposing sensitive data to hackers or creating a serious fire risk, a Which? investigation has found.
Which? bought 10 smart plugs available from popular online retailers and marketplaces, ranging from well-known brands, such as TP-Link and Hive, to more obscure names such as Hictkon, Meross and Ajax Online. Working with security consultants NCC Group, experts found 13 vulnerabilities among nine of the plugs, including three rated as high impact and a further three as critical – all of which could pose a major risk to people’s homes.
One device had a critical fault that could cause a fire or even an explosion big enough to destroy the device plugged in to it.
The Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed, with the live connection far too close to an energy-monitoring chip. This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Which? believes that the Hictkon Smart Plug, which experts suspect came with a fake CE safety marking, is so dangerous that it should not be sold. Amazon has since taken this smart plug off sale pending an investigation. Anyone who has purchased one of these devices should unplug it and stop using it immediately.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially even a laptop.
Which? found this issue emerges when you connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug, available on Amazon and eBay, and Ajax Online plugs, available on Amazon – to a Tuya hub, a commonly used hub for connecting Zigbee devices. As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes, potentially a gift to criminals.
Which? found the same issue with the popular Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, although the window of opportunity for attack was smaller on this device.
`KEV, THERE’S A GUY PARKED IN OUR DRIVEWAY WATCHING NASCAR’
Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them. The Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense, monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.
In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device. After gaining access to the TP-Link Kasa, available at Amazon, Argos and Currys, the attack itself is straightforward. Once compromised, the hacked plug could remain on the network undetected, and provide a way in for cybercriminals to mount further attacks on your data and devices. TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams.
Hive and TP-Link have both engaged positively with the findings. Which? has worked with both brands and they are in the process of fixing the respective issues with their products. Which? is also in ongoing talks with Innr while Meross has said it will fix the issue but this could take six months or more. But it has proved impossible to make contact with representatives of the little-known Hictkon brand. Which? has contacted Ajax Online about its findings but has not heard anything back.
Which? believes these latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements. None of the plugs Which? tested would currently meet these requirements. None of them say at the point of sale how long the product will be supported with security updates. Hardly any of the devices Which? tested had a point of contact where it could report the vulnerabilities and problems it found, while many also use default passwords.
Which? wants this legislation to be backed by strong and effective enforcement and for the chosen enforcement body to ultimately have the power to suspend, permanently ban the sale of or recall non-compliant products where necessary.
The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.
NEW GOVERNMENT LAWS SOON, MAYBE…WHEN THE PANDEMIC IS OVER
The government published a paper on what to do about the problem back in 2018. They updated proposals this summer, but there’s no legislation planned right now. More info here.
Meanwhile insurers and brokers are probably best advising home insurance customers to be very careful when buying and using smart plugs, maybe producing handy infographic guides showing the risks and how to secure your data.