Home
 » ISP News » 
Sponsored

Security Researchers Find Vulnerabilities in UK WiFi Smart Plugs

Tuesday, May 18th, 2021 (9:33 am) - Score 7,176
wifi_smart_plugs_hackable

The Head of Technical Cyber Security at A&O IT Group, Richard Hughes, has today warned UK consumers to be careful when buying cheap WiFi Smart Plugs from Amazon, eBay or AliExpress because some devices were found to harbour significant security vulnerabilities that could leave end-users exposed.

The research looked at two allegedly “popular” smart plugs, such as the Sonoff S26 and the Ener-J Wi-fi Smart Plug. The Ener-J is available with alternative branding and is believed to be a white labelled product from Tuya (the firmware seems to support this theory). Both devices retail for around the £10 mark and enable you to switch devices on and off by using a WiFi app on your mobile phone or computer, among other things.

After acquiring the devices for himself, Richard then proceeded to delve into the vulnerabilities of these plugs and discovered various “simple security errors“, such as passwords made publicly available in user guides (e.g. one device used a universal default password of.. wait for it.. “12345678“), unencrypted traffic (HTTP) between the smart plug and the mobile device that controls it, as well easy to capture WiFi credentials.

Additionally, Richard also managed to upload malicious firmware on the devices, something that costs less than £5 to do and provides exact locations of the smart plugs as well as allowing cyber criminals to launch cyber attacks from users’ WiFi networks without being caught,” said the announcement. The A&O Group’s cyber security division disclosed what they found to Sonoff but did not receive a response (yet).

NOTE: The UK Government’s new Secure by Design proposals aim to ban some poor practices, such as the use of universal default passwords.

Richard has also issued some advice for manufacturers and consumers on the subject.

What can manufacturers do to help prevent their devices being modified with malicious firmware?

• Glue or weld plastic enclosures so that it is more difficult to tamper with a device without leaving evidence in the form of cosmetic damage to the enclosure.

• Use hardware that requires a cryptographically signed firmware image.

• Coat components and connections required for dumping/flashing firmware with an epoxy resin, the removal of which would damage the components leaving the device inoperable.

• Use only approved distributors to form a trusted supply chain.

• Work with a security consultancy during product design to help ensure devices are as secure as possible before reaching production.

What can users do to protect themselves?

• Examine the device for any signs that it has been tampered with before connecting it to your network. Currently this will not be that effective as this research demonstrates it is possible to modify firmware leaving no traces.

• If possible, place untrusted devices on a separate network or VLAN.

• For the more technically savvy, monitor the communications of the device with a packet sniffer and try to confirm that all connections are valid. An organization may wish to have a vulnerability assessment completed by experienced security consultants.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
20 Responses
  1. Bill says:

    Stating the blatantly obvious – but clearly not to the vast majority of people.

    Have you noticed how there are practically NO ethernet controlled smart sockets or even Powerline connected ones?

    The vendors would love to tie you in to their clouds . You are at their mercy…

    1. CarlT says:

      This might well be something to do with that most folks want to use handheld devices to control the sockets.

      This means connection to a hub across a wireless network.

      If you’re going that far may as well just put a cheap WiFi chip in the IoT stuff.

      Proprietary hub ties people in.

      An all wired solution for homes is rare because demand is pretty much non-existent.

    2. Connor says:

      Doesn’t help that if you want Google Home support it needs to be contactable from Googles cloud.

  2. Olly says:

    I thought the whole point of Sonoff devices was to flash them with your own firmware: Tasmota / ESPHome et al… Perhaps ‘Insecure by Design’ would be an alternative labelling.

    1. Daniel says:

      Exactly. This article is nonsense. Almost any device can be hacked/flashed with physical access.

    2. spurple says:

      @Daniel, how can the article be nonsense?

      To me, the takeaway was, If i buy one of these, I should consider putting my own firmware on it, because I can’t trust that the seller didn’t put some secretly malicious software on it.

  3. A_Builder says:

    I’d have been sprites if the headline had read

    “IoT devices found to be secure”

    1. A_Builder says:

      *surprised

    2. spurple says:

      oddly enough, “sprites” works quite well in the context too 🙂

  4. Morgan Christiansson says:

    • Glue or weld plastic enclosures so that it is more difficult to tamper with a device without leaving evidence in the form of cosmetic damage to the enclosure.

    • Use hardware that requires a cryptographically signed firmware image.

    • Coat components and connections required for dumping/flashing firmware with an epoxy resin, the removal of which would damage the components leaving the device inoperable.

    These recommendations would all stop you from securing the devices by flashing custom firmware on them 🙁

  5. Webstaff says:

    This articles a head scratcher.
    After skimming it quickly I feel like I’ve actually lost brain cells.
    It’s like saying you bought petrol to find out if it was flammable and would work in a car.. and you work in the car industry..
    In other important news I’m having steak for tea, which is good / bad for the environment.
    Good / bad for your health.
    But does taste nice.

    1. Webstaff says:

      You know what.

      Mark should know everything about whats been posted in the comments section looking at his bio.
      So is this Mark trialling some AI writers out?

      Let’s hope so. 😉

      If not let’s just stick to the ISP review stuff

  6. David Bayliss says:

    I liked the sonoff devices especially because you can easily/safely hack (including hardware)/program them yourself for home mains custom IoT. Their hardware seemed pretty good. Too many things are hard to cheaply customise as it is. At least leave us one hackable affordable example lol.

  7. Foxocube says:

    All these recommendations for securing the devices against firmware changes, Richard has clearly missed the reason why these particular ones are popular. People want to put custom firmware (such as ESPHome or Tasmota to bypass the manufacturers’ cloud services and mobile apps. Ironically those services are often far worse in terms of security than the firmware changes Richard wants to prevent. Not to mention much worse in terms of accessibility and interoperability.

  8. Connor says:

    I got a cheap plug a while ago from a shop locally for my tv and logged it’s connections to find it used a random Hetzner server contacted just by IP limiting that device by the availability of one server, was initially planning on rewriting their server solution locally to help but never got round to it and just ended up getting a Chromecast that had access to turn the TV off and on anyway.

  9. Mel says:

    I think the Eufy camera server bug just the other day, which gave users full access to other people’s Eufy cameras, including live footage, recordings, and their accounts and settings, is a good example of why being able to open something up and flash it with third party firmware, is a highly desirable feature, rather than a security risk.

    Are manufacturers going to start welding PCs shut and epoxying chips for security, so you can’t upgrade or fix them?

    One of the reasons Sonoffs are popular is that you can open them up and flash them, the only potentially semi-realistic security issue I can see that you’d try to solve by welding them shut et-al would be to stop some rogue trader flashing them with malware and selling them on ebay, and they could probably still get around it by ordering a custom version in bulk from china with firmware that uses and updates from their own server, allowing them to flash malware remotely.

  10. tonyp says:

    I don’t think the process of opening up a device and reflashing is a practical thing for non-techy Mr & Mrs Joe Public.

    Apart breaking open a mains bearing device, the process of downloading and configuring devices is not for the non-technical – these devices were not intended to be tampered with.

    In my case, I don’t trust the apps that the vendors want you to download to a smartphone. And for every different vendor’s device, there is a different app. I do use a few older IoT devices with Home Assistant servers running on my own network with firewalling to limit external access. These IoT devices initiate calling ‘home’ for updates etc. very regularly and these have to be watched.

    I also do not trust broker services to control my devices, who knows what they do!
    But then again, I happily use Google and so on. Ah well Caveat Emptor!

  11. Bump says:

    Sonoff design their devices to be easily flashable. I run them using custom firmware and with no access to anything outside their isolated network. I like being able to do this rather than having a cloud dependency.

    1. CTB says:

      I’m in full agreement with Bump. I have many IOTs on my home network all with the OEM code fully erased and my own home written firmware flashed instead. No Clouds, Servers or code I haven’t set up or written. SONOFF make sockets and devices for the likes of me. Please leave what you don’t understand alone.

    2. A_Builder says:

      @CTB

      By your logic SONOF should ship with no firmware rather than carp default firmware?

      Maybe just a firmware toolkit?

      I certainly have all IoT stuff on a separate set of VLAN’s if it is talking to the cloud as goodness knows what it is up to. What if the GRU knew when my milk was delivered: maybe they could do their polonium delivery at the same time or deliver the package of that ‘newcomer’ gel liquid from that nice Mr Putin?

      The mind boggles. Well it doesn’t really if you limit what the kit can see either physically or electronically.

      It is thinks like Alexa or smartphone hacking I have more of an issue with as they can get into really sensitive areas of your work or personal life.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £19.50 (*22.50)
    Speed 38Mbps, Unlimited
    Gift: None
  • NOW £20.00 (*32.00)
    Speed 36Mbps, Unlimited
    Gift: None
  • Hyperoptic £20.00 (*25.00)
    Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Shell Energy £21.99 (*30.99)
    Speed 35Mbps, Unlimited
    Gift: None
  • Plusnet £22.00 (*38.20)
    Speed 36Mbps, Unlimited
    Gift: £70 Reward Card
Large Availability | View All
Cheapest Ultrafast ISPs
  • Gigaclear £24.00 (*49.00)
    Speed: 300Mbps, Unlimited
    Gift: None
  • Vodafone £24.00 (*27.00)
    Speed: 100Mbps, Unlimited
    Gift: None
  • Community Fibre £25.00 (*27.50)
    Speed: 200Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00 (*35.00)
    Speed: 150Mbps, Unlimited
    Gift: Promo Code: HYPERFALL21
  • Virgin Media £28.00 (*52.00)
    Speed: 108Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (3569)
  2. BT (3023)
  3. Politics (1940)
  4. Building Digital UK (1929)
  5. FTTC (1888)
  6. Openreach (1837)
  7. Business (1693)
  8. Mobile Broadband (1480)
  9. Statistics (1410)
  10. FTTH (1365)
  11. 4G (1277)
  12. Fibre Optic (1174)
  13. Virgin Media (1172)
  14. Wireless Internet (1162)
  15. Ofcom Regulation (1149)
  16. Vodafone (846)
  17. EE (835)
  18. 5G (772)
  19. TalkTalk (769)
  20. Sky Broadband (747)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact