The Head of Technical Cyber Security at A&O IT Group, Richard Hughes, has today warned UK consumers to be careful when buying cheap WiFi Smart Plugs from Amazon, eBay or AliExpress because some devices were found to harbour significant security vulnerabilities that could leave end-users exposed.
The research looked at two allegedly “popular” smart plugs, such as theSonoff S26 and theEner-J Wi-fi Smart Plug. The Ener-J is available with alternative branding and is believed to be a white labelled product from Tuya (the firmware seems to support this theory). Both devices retail for around the £10 mark and enable you to switch devices on and off by using a WiFi app on your mobile phone or computer, among other things.
After acquiring the devices for himself, Richard then proceeded to delve into the vulnerabilities of these plugs and discovered various “simple security errors“, such as passwords made publicly available in user guides (e.g. one device used a universal default password of.. wait for it.. “12345678“), unencrypted traffic (HTTP) between the smart plug and the mobile device that controls it, as well easy to capture WiFi credentials.
“Additionally, Richard also managed to upload malicious firmware on the devices, something that costs less than £5 to do and provides exact locations of the smart plugs as well as allowing cyber criminals to launch cyber attacks from users’ WiFi networks without being caught,” said the announcement. The A&O Group’s cyber security division disclosed what they found to Sonoff but did not receive a response (yet).NOTE: The UK Government’s newSecure by Design proposals aim to ban some poor practices, such as the use of universal default passwords.
Richard has also issued some advice for manufacturers and consumers on the subject.
What can manufacturers do to help prevent their devices being modified with malicious firmware?
• Glue or weld plastic enclosures so that it is more difficult to tamper with a device without leaving evidence in the form of cosmetic damage to the enclosure.
• Use hardware that requires a cryptographically signed firmware image.
• Coat components and connections required for dumping/flashing firmware with an epoxy resin, the removal of which would damage the components leaving the device inoperable.
• Use only approved distributors to form a trusted supply chain.
• Work with a security consultancy during product design to help ensure devices are as secure as possible before reaching production.
What can users do to protect themselves?
• Examine the device for any signs that it has been tampered with before connecting it to your network. Currently this will not be that effective as this research demonstrates it is possible to modify firmware leaving no traces.
• If possible, place untrusted devices on a separate network or VLAN.
• For the more technically savvy, monitor the communications of the device with a packet sniffer and try to confirm that all connections are valid. An organization may wish to have a vulnerability assessment completed by experienced security consultants.