One smart plug isn't so bright when it comes to security

A security firm finds an unidentified smart socket vulnerable to hacks

Smart sockets that let you control an electrical plug over the internet may sound cutting edge, but they can also be rife with security flaws.

One such plug was found vulnerable to hacks. Security firm Bitdefender said that it could steal user email logins from the device, control it over the Internet, and potentially use the socket to launch other malware attacks.

“This is a serious vulnerability, we could see botnets made up of these power outlets,” Alexandru Balan, chief security researcher at Bitdefender, said in a Thursday blog post.

Bitdefender isn’t naming the product, but its mobile app has more than 10,000 downloads from Android users.

The device itself functions as a smart electrical switch that connects to the internet over Wi-Fi. A user can plug it into any wall socket, and remotely turn the device on and off through the mobile app.

This particular product can also send email notifications to the user when it changes from one state to another. But despite these features, the smart socket isn’t very secure, Bitdefender found.

By default, it comes with a weak username and password combination, which the socket doesn’t force the consumer to change. The product also communicates data unencrypted, making anything it sends easy to decode. If a hacker is eavesdropping over the Wi-Fi connection, all of this data can be seen.

Due to these flaws, Bitdefender ran tests and found that when nearby, researchers could hijack control over the smart socket. If the plug had enabled email notifications, a hacker could also steal the user’s address and password information.

A bigger issue is a flaw within the product’s software coding. A hacker can potentially exploit this to inject commands into the coding and control the product anywhere over the internet, Bitdefender said.

In a worst-case scenario, a hacker could install malicious firmware into these smart sockets, turning them into a botnet or a network of computers that can launch cyber attacks, Bitdefender added. PCs and other electronics connected to the same internet connection as the smart socket would be vulnerable.

The vendor behind this smart socket is working on a fix that will be released in the third quarter, Bitdefender said.

The security firm is advising that consumers be aware of privacy issues related to smart plugs and other internet-connected devices. They should also do proper research before buying and look at the online reviews to see if other users have reported any problems.  

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

More about Smart

Show Comments