Researchers have discovered critical security flaws in connected smart plugs which can give attackers access to a full home network — as well as your email account.
Bitdefender researchers Dragos Gavrilut, Radu Basaraba, and George Cabau said on Thursday that one particular device uses no encryption and weak default passwords, with no alerts issued to users to change them in the interests of security.
Internet of Things (IoT) devices are products with network capabilities. While these now range from smartphones to fridges, the use of smart plugs is also on the rise.
IoT-based smart outlets can be used to monitor energy usage, schedule devices to turn on and off at the user’s convenience, and can be used to power and control gadgets including security cameras, smart TVs and coffee makers, among others.
According to the security firm, a popular, but undisclosed, electrical outlet currently on the market not only has poor security in place but is also susceptible to malicious firmware updates which permit attackers to control devices remotely and gain an entry point into your home networks and activity.
To set up the device, users must plug it in, download the accompanying Android or iOS app, and then go through the installation process. The device requests the credentials to the user’s home network and then registers to vendor servers through UDP messages containing the device name, model, and MAC address. The server then replies with the firmware version, port, and local IP address.
Bitdefender noted that the device’s Wi-Fi hotspot is secured with a weak username and password, and during configuration, the Wi-Fi network credentials are transferred in cleartext rather than using any encryption to speak of. To make matters worse, the device-to-application communication which passes through the vendor’s servers are only encoded and not encrypted.
“Encoding can be easily reversed using a scheme that is publicly available, while encryption keeps data secret, locked with a key available for a selected few,” the researchers note.
In addition, a feature of the smart plug has been poorly managed. The outlet can be configured to send email notifications every time there is a state change — such as turning on or off — but this requires access to the user’s email account credentials, further expanding the potential attack surface.
If an attacker knows the MAC address of the device and the default credentials, they can gain control of the device, plundering all of the user information stored within — which includes the user’s email credentials if the alert feature is enabled.
Due to these security flaws — and a lack of password sanitization — new passwords can also be set to override the root password and access the embedded Telnet service. When access to the network protocol is in hand, attackers can then remotely send commands to stop, start, and schedule the device, as well as execute malicious code. In addition, the outlet is vulnerable to malicious firmware updates.
The researchers note that attackers could use the device to perform attacks on other devices connected to the same local network. It may even be the case that we could see power outlets become another element of botnets, which have already included home and office routers.
“One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” says Cabau. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”
Bitdefender reported the vulnerabilities to the vendor before public disclosure 30 days later. The vendor is working on a fix due to be released in Q3 2016.