Cheap smart plugs found on online marketplaces could contain critical security issues that expose you to hackers, and design flaws that could even start a fire, a Which? investigation has revealed.
Which? bought 10 smart plugs from popular online retailers and marketplaces, ranging from well-known brands, such as TP-Link and Hive, to less well known names such as Hictkon, Meross and Ajax Online.
Working with security consultants NCC Group, we found 13 vulnerabilities among nine of the plugs, including three rated as high impact and a further three as critical, including one that could cause a fire in your home.
A smart plug turns a traditional electrical outlet into a smart home system. You can use one to turn on lights with an app or your voice, or monitor the power consumption of appliances, such as a fridge. But doing proper research before you buy is essential if you’re to avoid the issues we found.
Smart home gadget reviews – we test all the smart devices we review for security and privacy issues
Hictkon smart plug could cause a fire
The Hictkon Smart Plug with Dual USB Ports, available on Amazon Marketplace, has been poorly designed, with the live connection far too close to an energy-monitoring chip. This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Which? believes that the Hictkon Smart Plug, which experts suspect came with fake CE and FCC safety markings, is so dangerous that it should not be sold.
We’ve been unable to find a contact for Hictkon, so have taken our findings to Amazon, the sole seller of the plug. It has taken this smart plug off sale pending an investigation.
Anyone who has purchased one of these devices should unplug it and stop using it immediately.
‘When appropriate, we remove a product from the store, reach out to sellers, manufacturers, and government agencies for additional information, or take other actions,’ said Amazon.
‘If customers have concerns about an item they’ve purchased, we encourage them to contact our customer service team directly so we can investigate and take appropriate action.’
Other Hictkon smart plugs are still available on Amazon. We additionally purchased one of these plugs and it did not have the same electrical safety risks in its design as the plug above. However, we would still urge caution to anyone considering buying it.
Critical security flaws with TP-Link Kasa
The TP-Link Kasa is available as a standard smart plug, or you can buy a version with energy monitoring. A critical flaw we found in testing meant that an attacker could seize total control of the plug, and of the power going to the connected device. The vulnerability is the result of weak encryption used by TP-Link.
The attacker would have to be on your wi-fi network to do the hack. While that does reduce the risk, there are quite a few unsecure gadgets that can be remotely hacked, which means an attacker can get around your router’s firewall, such as the wireless cameras we featured in June.
After gaining access, the attack itself is trivial to do, and once compromised, the hacked plug could remain on your network undetected. TP-link also shares the email address you used to set up the plug unencrypted with the attackers.
TP-Link has developed a fix for the vulnerability with the Kasa smart plug and this will roll out in October 2020. Which? will be verifying the fix when it becomes available.
Meross smart Plug could reveal your home wi-fi password
Our experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.
The Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense, monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.
We contacted Meross and it said that it will fix the issue we’ve discovered, but has not given a firm date for that to happen.
Innr and Ajax smart plugs could be open to hackers
Which? found this issue emerges when you connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug, available on Amazon and eBay, and Ajax Online plugs, available on Amazon – to a Tuya hub, a commonly used hub for connecting Zigbee devices.
As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes, potentially a gift to criminals.
Innr claimed that, after investigating, the issue Which? found was more with the Zigbee implementation on the hub used in the testing. Which? remained in conversations with the brand at the time of publication over how to mitigate this issue going forward.
We contacted Ajax Online about its findings but had not heard anything back at the time of publication.
Popular Hive Active smart plug also affected
Which? found the same issue with the popular Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, although the window of opportunity for attack was smaller on this device.
Hive said: ‘We agree any potential vulnerability is serious and we will be reviewing the full findings to evaluate the seriousness of this claim.
‘However, from what we have seen to date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices. If any of our customers have concerns they can contact us directly to discuss.’
Are there safe smart plugs available?
Not all smart plugs are going to result in your data being plundered, your devices being compromised or your home potentially burning down. We don’t run regular tests of smart plugs yet, which is why you won’t see Best Buys or scores on these products.
However, while our experts found some issues with the TP-Link Kasa plugs, we didn’t find anything concerning with the TP-Link Tapo Mini, So it could be a good, and cheap, option for automating your smart home.
You don’t need a separate hub to use this plug as it works with any standard wi-fi router. Plug it into a mains socket, plug into it the device you want to control and download the free TP-Link Tapo app. You can schedule or time the plug to turn on and off, and control it with Amazon Alexa or Google Assistant. Buy one Tapo Mini plug for £9.99, two for £16.99 or four for £31.99.
Which? takes action against unsafe smart products
Regular investigations and in-depth security testing at Which? has revealed a range of issues with popular smart products.
- In October 2019 we reported on the cheap security cameras that could be inviting hackers into your home, and a follow-up in June 2020 showed how more than 100,000 wireless cameras could be at risk in the UK.
- In December 2019 we found security flaws in kids karaoke machines and smart toys.
- In March we revealed that more than a billion Android devices could be at increased risk of malware threats, leaving people to question whether it’s safe to use an old mobile phone.
- In June 2020 we exposed security risks in cars, and the importance of removing your personal data.
- In July 2020 we discovered a security flaw in a TP-Link wireless camera, that we worked with TP-Link to get fixed.
The issues we’ve found help to demonstrate the importance of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements.
None of the plugs Which? tested would currently meet these requirements. None of them say at the point of sale how long the product will be supported with security updates. Hardly any of the devices Which? tested had a point of contact where it could report the vulnerabilities and problems it found, while some used weak default passwords.
Kate Bevan, Which? Computing editor, said: ‘Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
‘Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
‘Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites. In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.’
How to buy and use smart devices safely
Shopping for smart devices can be a bit of a minefield, especially on online marketplaces where hundreds of devices are available at attractively low prices.
- Beware unknown brands – Be cautious when the company that’s selling the smart product doesn’t have a website or any contact details. If you can’t find the brand online at all, or it doesn’t look reputable, avoid it.
- Check the reviews – Although the product might have hundreds or even thousands of glowing reviews, always read the negative ones, too. They can alert you to worrying issues with the product. Our investigations have shown it’s important to be wary of fake reviews, and even endorsements like Amazon’s Choice.
- Change the password – When setting up a new device, change the default password to a more secure one. We recommend the ‘three random words’ method. See our guide to security passwords for more.
- Install all updates – These software updates provide vital protections against security threats. Check the settings to set updates to run automatically. And also run updates on your phone app.
For more online shopping tips, read our guide on how to spot a fake review.