Users might risk their privacy, and even physical security, when using smart plugs to manage appliances in homes, office buildings and other spaces.
That is because an electrical socket in use today is vulnerable to malicious firmware upgrades and can end up controlled remotely to expose users to physical and online security risks, researchers said.
The affected vendor has not been named since it has yet to release patches for the vulnerable product. The fix should become available sometime in the third quarter.
Smart electrical sockets allow users to create on/off schedules for their devices, monitor energy usage and prevent overheating. In many cases, these products can end up controlled remotely using a mobile application.
The product analyzed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau is a smart socket installed, configured and controlled using iOS and Android apps available on the App Store and Google Play.
During the setup process, the user ends up instructed to provide the Wi-Fi credentials needed by the device to connect to the local wireless network. The device also registers with the vendor’s server through a UDP message containing the device’s name, model and MAC address.
Experts discovered several vulnerabilities, including the socket’s hotspot being protected by weak, default credentials, and users are not warned about the risks of leaving them unchanged.
Another problem is the mobile app transfers Wi-Fi credentials in clear text, allowing an attacker to intercept the information. Furthermore, communications between the device and the application go through the manufacturer’s server without being encrypted – the data is only encoded and it can be easily decoded.
The security weaknesses plaguing the product can be exploited by a remote attacker who knows the MAC and default password to take control of the device, the researchers said in a blog post. This includes making configuration changes (e.g. modifying schedules) and obtaining user information.
The product analyzed by the security firm includes an email notification feature that requires the user to provide their email username and password. If an attacker gains access to the device, they can steal the victim’s email credentials and hack their account.
Experts also found due to the lack of password sanitization, attackers can inject arbitrary commands into new password requests. This allows them not only to overwrite the root password, but also to open the embedded Telnet service and remotely hijack the device. The method can also end up used to install malicious firmware, which gives hackers persistent access to the socket and from there to all the other devices on the local network.
“One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” Cabau said in a post. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”
Bitdefender offered advice for users:
• Perform a thorough research before buying an IoT device for their homes. Online reviews may reveal privacy issues other users have encountered.
• Test the device to understand how it works (if possible). How does it connect to the Internet, what data can it access, where is that data stored and under what circumstances?
• Proper research into the new device will help users weigh the risks and benefits – can this device turn into a privacy hazard? Using data collected from it, could someone infiltrate the home Wi-Fi network to snoop on private conversations and steal other personal information?
• Read the privacy statement before activating the device and connecting it to the web.