They promise to help people run and monitor a range of gadgets and appliances around the home with their phone, but smart plugs for sale at a wide range of retailers, including online marketplaces, risk exposing sensitive data to hackers or creating a serious fire risk, a Which? investigation has found.
Which? bought 10 smart plugs available from popular online retailers and marketplaces, ranging from well-known brands, such as TP-Link and Hive, to more obscure names such as Hictkon, Meross and Ajax Online.
Working with security consultants NCC Group, experts found 13 vulnerabilities among nine of the plugs, including three rated as high impact and a further three as critical – all of which could pose a major risk to people’s homes.
One device had a critical fault that could cause a fire or even an explosion big enough to destroy the device plugged in to it.
The Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed, with the live connection far too close to an energy-monitoring chip. This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Which? believes that the Hictkon Smart Plug, which experts suspect came with a fake CE safety marking, is so dangerous that it should not be sold. Amazon has since taken this smart plug off sale pending an investigation. Anyone who has purchased one of these devices should unplug it and stop using it immediately.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially even a laptop.
Which? found this issue emerges when you connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug, available on Amazon and eBay, and Ajax Online plugs, available on Amazon – to a Tuya hub, a commonly used hub for connecting Zigbee devices. As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes, potentially a gift to criminals.
Which? found the same issue with the popular Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, although the window of opportunity for attack was smaller on this device.
Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them. The Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense, monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.
In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device. After gaining access to the TP-Link Kasa, available at Amazon, Argos and Currys, the attack itself is straightforward. Once compromised, the hacked plug could remain on the network undetected, and provide a way in for cybercriminals to mount further attacks on your data and devices. TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams.
Hive and TP-Link have both engaged positively with the findings. Which? has worked with both brands and they are in the process of fixing the respective issues with their products. Which? is also in ongoing talks with Innr while Meross has said it will fix the issue but this could take six months or more. But it has proved impossible to make contact with representatives of the little-known Hictkon brand. Which? has contacted Ajax Online about its findings but has not heard anything back.
Which? believes these latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements. None of the plugs Which? tested would currently meet these requirements. None of them say at the point of sale how long the product will be supported with security updates. Hardly any of the devices Which? tested had a point of contact where it could report the vulnerabilities and problems it found, while many also use default passwords.
Which? wants this legislation to be backed by strong and effective enforcement and for the chosen enforcement body to ultimately have the power to suspend, permanently ban the sale of or recall non-compliant products where necessary.
The consumer champion also wants to see online marketplaces and retailers taking more responsibility for the safety and security of the products sold on their sites, regardless of whether the seller is a third-party.
Kate Bevan, Which? Computing editor, said:
“Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites.
“In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.”
How to stay safe while using smart kit
Beware of unknown brands – Be cautious when the company that’s selling the smart product doesn’t have a website or any contact details. If you can’t find the brand online at all, or it doesn’t look reputable, avoid it.
Check the reviews – Although the product might have hundreds or even thousands of glowing reviews, always read the negative ones, too. They can alert you to worrying issues with the product.
Change the password – When setting up a new device, change the default password to a more secure one. We recommend the ‘three random words’ method. See which.co.uk/securepasswords for more.
Install all updates – These software updates provide vital protections against security threats. Check the settings to set updates to run automatically. And also run updates on your phone app.
Notes to editors
Which? worked with NCC Group to expertly test 10 smart plugs for security and safety over several weeks in August 2020.
In its investigation Which? didn’t find anything concerning with the TP-Link Tapo Mini sold on Amazon, eBay and AO.com. So it could be a good, and cheap, option for automating people’s smart homes.
Government advances plans to boost security of smart products – 16 July 2020.
The three security requirements for smart devices set to be brought into law are:
Device passwords must be unique and not resettable to any universal factory setting;
Manufacturers must provide a public point of contact so anyone can report a vulnerability;
Information stating the minimum length of time for which the device will receive security updates must be provided to customers.
Please note that a different Hictkon smart plug is still available on Amazon. Which? additionally purchased this plug and it does not have the same electrical safety risks in its design as the plug above. However, Which? would still urge caution to those considering buying it.
Which? was unable to find anyone representing the Hictkon brand, and so contacted Amazon instead. It said: “Safety is important to Amazon and we want customers to shop with confidence in our stores. We have proactive measures in place to prevent suspicious or non-compliant products from being listed and we monitor the products sold in our stores for product safety concerns. When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions. If customers have concerns about an item they’ve purchased, we encourage them to contact our Customer Service team directly so we can investigate and take appropriate action.”
“We thank the Which? team for bringing this to our attention. Protecting our customers from cybercrime is paramount and we are actively working with the Government and industry peers to ensure smart technology has rigorous security measures in place to ensure data privacy.
“We agree any potential vulnerability is serious and we will be reviewing their full findings to evaluate the seriousness of this claim. However, from what we have seen to-date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices. If any of our customers have concerns they can contact us directly to discuss.”
TP-Link has developed a fix for the vulnerability with the Kasa smart plug and this will roll out in October 2020. Which? will be verifying the fix when it becomes available.
Innr claimed that, after investigating, the issue Which? found was more with the Zigbee implementation on the hub used in the testing. Which? remained in conversations with the brand at the time of publication over how to mitigate this issue going forward.
Meross has said it will fix the issue but this could take six months or more.
Which? contacted Ajax Online about its findings but had not heard anything back at the time of publication.
Retailers and online marketplaces
Retailers and online marketplaces stocking these products have only recently been made aware of Which?’s findings, and have not had the opportunity to respond in advance of this press release.