Users of a smartphone-controlled, web-connected plug are putting the security of their home wi-fi networks at risk because of shoddy coding, researchers said Thursday.
Researchers from Bitdefender, who published a blog post laying out the holes in the connected plug’s security, declined to name the device, because they said the manufacturers were still working to close up the flaw.
But the vulnerabilities are serious and multifold, and could allow an attacker to reach into the home from anywhere in the world — not just to control the plug itself, but also to compromise the entire network, according to Bitdefender’s Chief Security Researcher Alexandru Balan.
The smart plug is basically an electrical switch interposed between the outlet and the plug of whichever electrical device the user wants to be able to control remotely. It generates a wi-fi hotspot, connects to the user’s home network, and can be controlled via a smartphone app — for either Android or iOS users. The Android version has been downloaded more than 10,000 times, according to the researchers.
Once the app is activated, it prompts the user to setup the smart plug by connecting to it via the user’s home wi-fi network.
But the app sends the user’s wi-fi name and password to the plug in clear text, and the plug’s own hotspot is protected by what the researchers say is a “weak” default username and password combination. Unless the user changes the combination, any attacker can easily get access to the hotspot and thus potentially the clear text version of the wi-fi network’s name and the user’s password.
“This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world”, says said Bitdefender’s Balan. “Up until now most Internet of Things vulnerabilities could be exploited only in the proximity of the smart home they were serving. However, this flaw allows hackers to control devices over the Internet … This is a serious vulnerability, we could see botnets made up of these power outlets.”
In addition, the smart plug can be configured to alert the user via email whenever it is switched on or off, but to do this, it requires access to the user’s email credentials, which, because of the weak default password on the device, could end up exposing them to hackers.
In accordance with Bitdefender’s responsible vulnerability disclosure policy, the blog post says, the manufacturer was privately notified of the security flaws and given 30 days to fix them before Thursday’s publication. Because the fix isn’t ready yet, the researchers say they will not identify the device or its maker until the patch is ready, which the manufacturer says will be before the end of next month.