Smart plugs sold for just over a tenner give hackers access to your home network
According to Statista, the global market for Internet of Things (IoT) end-user solutions is expected to grow to almost 1.6 billion US dollars by 2025. Equally, the industrial use of IoT is also increasing, so much so that the FIDO Alliance recently introduced a new standard for IoT devices, helping to address the security, cost and complexity challenges involved in deploying IoT devices at scale.
With the smart home growing in popularity, many consumers are using simple, cheap methods such as installing smart plugs to convert ordinary devices and appliances into smart ones. But are they considering the security threats they’re opening themselves up to?
To answer this question and demonstrate the threat smart/IoT devices can pose, we decided to test how secure a smart plug really is, looking at some popular smart plugs such as the Sonoff S26 and the Ener-J WiFi. Such smart plugs are low cost and easily available to purchase on sites such as eBay, AliExpress and Amazon.
Our research was two-fold. We initially wanted to look at the role IoT devices can play in a supply chain attack and secondly, and more specifically, how a device might be flashed with malicious firmware to allow a bad actor to perform malicious operations.
Before even getting to the firmware installation, we discovered weak passwords supplied in user guides, unencrypted traffic between the smart plugs and mobile device, and easy to capture WiFi credentials – all of which an attacker could intercept and use to take control of the smart plug. These are the findings detailed in this first blog of a two-part series.
Setting up the devices
Before either smart plug can be used, they must be paired with a mobile phone app. For the Sonoff S26 this was the eWeLink app and for the Ener-J this was the ENERJ SMART.
First, we worked on pairing the Sonoff S26. The plug was placed in AP pairing mode according to the supplied instructions which broadcast a SSID, or network name, of ITEAD-1001xxxxxx which was secured with a WPA2 pre-shared key (PSK).
Curious as to what the PSK may be to join the WiFi network broadcast by the Sonoff S26 (which to be clear is not required to be known by the user), a quick Google resulted in an unexpected result on the manufacturers website. High in the search results was a link to the Sonoff Basic/RF User Guide. Although the Sonoff Basic is a different model of smart device it pairs with the same eWeLink app as the Sonoff S26. The guide clearly states that the default (and incidentally this is not changeable by the user) password or PSK is 12345678. Not only is this an extremely weak PSK which can be up to 63 characters but publishing it in a user guide when it is not required is a major cyber security blunder. Already, we’d identified a vulnerability.
Figure 1: Sonoff Basic/RF User Guide
Armed with this PSK, we were able to successfully connect to the WiFi network broadcast by the smart plug. Hackers are often able to crack a weak password using powerful graphics cards in very little time and often in minutes or even seconds if the password is on a word list, in this case an attacker is being handed the PSK on a silver platter. Were an attacker to arm his or herself with this same PSK, they would be able to monitor or intercept communications between the mobile application and the smart plug.
Next a quick scan was performed to see what network services were being provided by the Sonoff S26.
The port scan showed that the Sonoff S26 had a service listening on port 80 which is commonly used by web servers to serve unencrypted HTTP traffic so there was a pretty good chance that the mobile application would use unencrypted HTTP traffic to communicate with the device during pairing.
Therefore, the next step was to fire up network protocol analyzer Wireshark and monitor traffic on the network.
After this, with Wireshark listening on the network, it was time to attempt to pair the device with the eWeLink mobile application. This confirmed our suspicions. The messages were not encrypted, and we were able to see the WiFi credentials that the mobile application passes to the smart plug.
We can see that the mobile application first requests device details from the smart plug using the following request:
GET /device HTTP/1.1
And the smart plug responds with the following payload:
Although this information may well be useful to an attacker wishing to clone the smart plug or use its API key to interact with the cloud server, the next message was of more immediate concern.
The mobile application then sent the SSID (network name) and PSK for the user’s WiFi network to the smart plug using clear text.
This represents a serious security vulnerability as an attacker can capture the credentials to join the user’s WiFi network from which they can launch further attacks on the user’s network, other connected devices within your home, or on the wider internet.
Once on your network an attacker could exploit any vulnerabilities they discover to perform tasks such as to receive video and audio from laptops, control vulnerable smart devices, download sensitive data or monitor traffic from other devices. Attackers can also download illegal material from the internet or launch attacks on other users’ devices with little chance of being caught as there is nothing to tie them to your internet connection.
A&O IT Group’s cyber security division have disclosed this vulnerability to the manufacturer but have not received a response at the time of writing.