One smart plug isn't so bright when it comes to security

A security firm finds an unidentified smart socket vulnerable to hacks

Smart sockets that let you control an electrical plug over the internet may sound cutting edge, but they can also be rife with security flaws.

One such plug was found vulnerable to hacks. Security firm Bitdefender said that it could steal user email logins from the device, control it over the Internet, and potentially use the socket to launch other malware attacks.

“This is a serious vulnerability, we could see botnets made up of these power outlets,” Alexandru Balan, chief security researcher at Bitdefender, said in a Thursday blog post.

Bitdefender isn’t naming the product, but its mobile app has more than 10,000 downloads from Android users.

The device itself functions as a smart electrical switch that connects to the internet over Wi-Fi. A user can plug it into any wall socket, and remotely turn the device on and off through the mobile app.

This particular product can also send email notifications to the user when it changes from one state to another. But despite these features, the smart socket isn’t very secure, Bitdefender found.

By default, it comes with a weak username and password combination, which the socket doesn’t force the consumer to change. The product also communicates data unencrypted, making anything it sends easy to decode. If a hacker is eavesdropping over the Wi-Fi connection, all of this data can be seen.

Due to these flaws, Bitdefender ran tests and found that when nearby, researchers could hijack control over the smart socket. If the plug had enabled email notifications, a hacker could also steal the user’s address and password information.

A bigger issue is a flaw within the product’s software coding. A hacker can potentially exploit this to inject commands into the coding and control the product anywhere over the internet, Bitdefender said.

In a worst-case scenario, a hacker could install malicious firmware into these smart sockets, turning them into a botnet or a network of computers that can launch cyber attacks, Bitdefender added. PCs and other electronics connected to the same internet connection as the smart socket would be vulnerable.

The vendor behind this smart socket is working on a fix that will be released in the third quarter, Bitdefender said.

The security firm is advising that consumers be aware of privacy issues related to smart plugs and other internet-connected devices. They should also do proper research before buying and look at the online reviews to see if other users have reported any problems.  

Join the CSO newsletter!

Error: Please check your email address.

More about Smart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place