Smart plugs risk exposing sensitive data to hackers or creating a serious fire risk in the home, an investigation by consumer champions Which? has found.
Internet-connected ‘smart’ plugs let users turn standard appliances on and off remotely via an app on their smartphone.
But smart plug makers like TP-Link, Hive and Hictkon all have products open to vulnerabilities making them liable to hazards, and are on sale through retailers including Amazon Marketplace and eBay.
One plug made by Hictkon is so dangerous that it ‘should not be sold’ due to the fire risk it presents to people in the home, according to Which?.
Online retailers should take more responsibility for the safety and security of the products sold on their sites even if the seller is a third-party, Which? says, adding that government intervention is needed.
Which? experts suspect the Hictkon Smart Plug (pictured) came with a fake CE safety marking and is ‘so dangerous that it should not be sold’.
‘Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring,’ said Kate Bevan, computing editor at Which?.
‘Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
‘Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites.
‘In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.’
Which? bought 10 smart plugs available from online retailers and marketplaces.
Products ranged from well-known brands such as TP-Link and Hive to more obscure names such as Hictkon, Meross and Ajax Online.
Which? worked with security consultants NCC Group to test the 10 smart plugs for security and safety in August 2020.
Experts found 13 vulnerabilities among nine of the plugs.
Three of these were rated as ‘high impact’ and another three as ‘critical’ – all of which could pose a major risk to people’s homes.
One device had a critical fault that could cause a fire or even an explosion ‘big enough to destroy the device plugged in to it’.
Which? said the Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed.
Its major issue is that its live connection is far too close to an energy-monitoring chip.
This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Which? experts suspect the Hictkon Smart Plug came with a fake CE safety marking and is ‘so dangerous that it should not be sold’.
Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, has a smaller window of opportunity for cyber attackers than other plugs, Which? said
Amazon has since taken this smart plug off sale pending an investigation and the old webpage for the product now redirects to the Amazon homepage.
Which? said: ‘Anyone who has purchased one of these devices should unplug it and stop using it immediately.’
Meanwhile, other smart plugs were deemed a cybersecurity risk rather than posing an immediate physical threat.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password.
This could be used to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially a laptop.
This issue allegedly emerges when users connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug (available on Amazon and eBay) and Ajax Online plugs (available on Amazon) – to a Tuya hub, a commonly used hub for connecting devices using the Zigbee specification.
As well as giving an attacker access to devices, this vulnerability could also divulge information like when people are out of their homes, which is ‘potentially a gift to criminals’, Which? said.
Innr claimed this issue was more with the Zigbee implementation on the hub used in the testing.
Ajax also said in a statement to MailOnline that this is not an issue caused by the plugs but the Tuya hubs.
‘We have contacted Tuya directly and informed them of this issue,’ an Ajax spokesperson said.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack plugs and other connected products, such as a thermostat, camera or a laptop. Which? found this issue emerges when connecting two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug (pictured) and Ajax Online plugs (below) – to a Tuya hub, a commonly used hub for connecting Zigbee devices
Ajax Online plug (pictured), which is available on Amazon. Ajax said there is an issue caused by the Tuya hubs and not with the plugs
Which? found the same issue with the popular Hive Active plug, available at Amazon, John Lewis, Currys PC World, B&Q and Screwfix.
The ‘window of opportunity for attack’ on Hive Active was smaller on this device, however.
‘We agree any potential vulnerability is serious and we will be reviewing their full findings to evaluate the seriousness of this claim,’ a Hive spokesperson said.
‘However, from what we have seen to-date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices.’
Experts also uncovered a critical issue with users’ Wi-Fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.
Kasa Smart Plug by TP-Link (pictured). TP-Link has developed a fix for the vulnerability with the Kasa smart plug and this will roll out in October 2020. Which? will be verifying the fix when it becomes available
The Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense.
It could also let them monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.
In the case of the TP-Link Kasa smart plug, a flaw means an attacker could seize total control of the plug and of the power going to the connected device.
TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams.
TP-Link has developed a fix for the vulnerability with the Kasa smart plug, which will roll out this month.
Hive is also in the process of fixing issues with its products, Which? said.
‘Which? is also in ongoing talks with Innr while Meross has said it will fix the issue but this could take six months or more.’
The Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could ‘allow a hacker to enjoy free internet at the user’s expense’
In July, the UK government detailed its plans to bring security requirements for smart devices into law, including three basic security requirements that ‘may be expanded on over time’.
Which? said none of the plugs it tested would currently meet these requirements under the law.
In response to the Which? findings, Amazon said in a statement: ‘Safety is important to Amazon and we want customers to shop with confidence in our stores.
‘We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns.
‘When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions.
‘If customers have concerns about an item they’ve purchased, we encourage them to contact our Customer Service team directly so we can investigate and take appropriate action.’