Burning down the house! Consumer champ Which? probes smart plugs to find a bunch of insecure fire-risk tat

Smart plugs could set your house on fire and let hackers gaze upon your private data, according to consumer champion company Which?

Which? bought 10 smart plugs available from popular online retailers and marketplaces, ranging from vendors such as TP-Link and Hive to "more obscure" brands such as Hictkon, Meross, and Ajax Online.

Smart plugs, as the Luddites security-conscious among our readers know, are items plugged into wall-fitted electrical receptacles that convey electricity to an appliance. They interact with things like Amazon Echo Dots and Google Nests so you can bellow at your always-on audio surveillance device to turn a desk lamp off. Many in the modern world find the convenience outweighs security concerns multiple times over.

Working with security consultancy NCC Group, Which?'s researchers found 13 vulnerabilities among nine of the plugs, including three rated as "high impact" and a further three as "critical".

One device, the Hictkon Smart Plug with Dual USB Ports as bought from Amazon, had been "poorly designed, with the live connection far too close to an energy-monitoring chip," according to Which? "This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring."

...poorly designed, with the live connection far too close to an energy-monitoring chip

Amazon is said to have taken this smart plug off sale pending an investigation, with Which? urging owners to unplug them immediately.

Several of the products tested had a critical vulnerability that could allow malicious types to steal the local Wi-Fi network password "and use that to hack not only the plugs and any connected smart hub, but also any other connected products, such as a thermostat, camera or potentially even a laptop," Which? claimed.

Such concerns are realistic if the malicious person is physically close enough to the target's home to set up a fake Wi-Fi network using their home SSID and man-in-the-middle their internet traffic, a scenario that is not impossible but also quite unlikely. It has much greater importance in a shared office building, however.

In another case, Which? found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device. The org said: "After gaining access to the TP-Link Kasa, available at Amazon, Argos and Currys, the attack itself is straightforward. Once compromised, the hacked plug could remain on the network undetected, and provide a way in for cybercriminals to mount further attacks on your data and devices. TP-Link also shares the email address used to set up the plug unencrypted with potential hackers, which could be used in phishing scams."

It appears the latter sentence means your email address is transmitted to TP-Link's servers without encryption, though we have asked for clarification.

Amazon said in a statement "safety is important" and that it likes people to contact it directly with concerns about products sold through its website. "When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions."

Hive said in its own statement: "From what we have seen to-date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices."

TP-Link said a patch would be available for its Kasa smart plug in October. Meross told Which? its own patch could take up to six months, bringing in echoes of Netgear's response to security vulns. Ajax Online didn't respond to Which and hasn't replied to The Register by the time of publication.

The UK government has previously promised to pass laws making it illegal to sell Internet-of-Things devices with hard-coded default passwords. Those pledges built on previous pleas from GCHQ for manufacturers to at least pretend to secure their cheap 'n' cheerful IoT crapware. ®