HEY EARLY ADOPTER, you thought that your smart plug was just being smart and turning on lights when you wanted it to, but in fact the bastard thing may be acting as a port that hackers can use to read your email and turn off your toaster.
No ways, we say. Who would have seen that one coming? Bitdefender, apparently, for that is the company barking the warning. The firm reckons that hackers can shut down systems, for example, we assume by turning plugs off at the wall.
"Users might be risking their privacy, and even physical security, when using smart plugs to manage appliances in homes, office buildings and other spaces," explained the firm's researchers in a blog post.
Bitdefender said that a popular electrical socket is vulnerable to malicious firmware upgrades and can be controlled remotely to expose users to physical and online security risks.
"The vulnerable device is a smart electrical switch that plugs into any wall socket and enables users to schedule a connected electronic device on and off from their smartphone. It can power any gadget - thermostats, smart TVs, coffee makers, security cameras, garage doors, medical devices and so on," the post said.
Bitdefender reckons that the problem is common across plugs and software, and that in Android's case the app has had 10,000 downloads. The threat also applies to Apple, naturally.
"In the mobile application, the user selects the option to install a new plug and chooses the home WiFi network from the list. The mobile application tries to establish a connection with the device's hotspot and, after it detects it, the app connects automatically," Bitdefender said.
"The user is asked to introduce the credentials of his home network, which the app transmits to the device. The smart plug connects to the local network and the set-up process is complete.
"Next, the device registers to vendor servers through UDP messages containing information on the model, device name and MAC address. The same data, plus the firmware version, port and local IP address, is sent in reply to the app."
The problems start here. Bitdefender explained that security at this level is weak and that the hotspot is protected with only basic security and a weak password/username combination. We are going to assume that these are ‘password' and ‘admin'.
"Bitdefender researchers observed that the hotspot is secured with a weak username and password combination. Furthermore, the application does not alert the user to risks associated with leaving default credentials unchanged," the firm warned.
"Changing them can be done by clicking ‘Edit' on the name of the smart plug from the main screen and choosing a new name and a new password.
"Secondly, researchers noticed that, during configuration, the mobile app transfers the WiFi username and password in clear text over the network. Also, the device-to-application communication that passes through the manufacturer's servers is only encoded, not encrypted.
"Encoding can be easily reversed using a scheme that is publicly available, while encryption keeps data secret, locked with a key available for a selected few."
All this enables a duo of attacks, one of which is remote control. This essentially means that you have surrendered your power to an outsider. In England, where a man's maisonette is his castle, this is a terrible thing.
Forced firmware upgrades are also possible, and these could add hitherto un-thought-of capabilities to the power socket problem through command injection.
"When an attacker exploits this flaw, the commands specified in the new password overwrite the root password and can open the embedded Telnet service," said Bitdefender.
"Using Telnet, an attacker, regardless of his location, can send commands to stop/start/schedule the device, as well as to execute rogue commands, including running malicious firmware to achieve persistence or using the device to perform attacks on other computers or devices inside the local network."
Let's all just go back to candles shall we? µ
EC says merged entity will 'continue to face significant competition'
Alexa, give me a reason to be cheerful about the UK economy
No, it isn't 1 April
Uniloc claims feature infringes a previously HP-owned patent