As more and more of the public become interested in living in a connected home, smart plugs offer a simple way to make your existing appliances smarter. Using these plugs allows you to control any electronic appliance from the ease of your smartphone. The industry leaders of these plugs provide customers with power management, remote on/off switching, intelligent timer, and task scheduling.
The ethical hacking team executed comprehensive intelligence gathering to uncover vulnerabilities in the popular TP-Link smart plug device. The primary goal was to understand the product’s functional logic and trick the device to execute our commands. If successful, this attack would provide malicious attackers with the ability to control high criticality appliances and potentially cause serious material damage by leaving unmonitored devices on to overheat.
By using dedicated testing tools, the team successfully communicated with the target device and found a lack of properly implemented encryption and authentication security mechanisms. The team managed to send valid on/off commands, which were scheduled to execute after a specific period of time. A detailed analysis confirmed the ability of random users, connected to the same network, to take full control over the device from the devices’ owners and cause denial of service to other in-range smart appliances.
- Always perform an open source research through reliable search engines (e.g. Google, Bing, etc.) on possible vulnerabilities identified for the smart device you are interested in.
- Keep your externally facing smart devices on a separate network.
- Be aware of any signs for physical intervention with the product.
- Make sure your smart device is properly configured and regularly updated.
- Unplug any devices that could potentially cause physical damage to your home if left on (for example, heat styling tools) from their smart plugs when not in use.