A vulnerability in a popular brand of smart electrical sockets has been found that could allow hackers to spread malicious software to connected devices.
By Rodney Bosch · August 19, 2016
BUCHAREST, Romania— A smart electrical socket that could allow a hacker to turn power outlets into botnets, read your email, and even set your house on fire if you connect an appliance that could overheat? Those nightmarish scenarios are all possible, according to security researchers.
Researchers at cybersecurity software firm Bitdefender, based here, have identified a vulnerability in an undisclosed popular brand of smart electrical socket they say could be hijacked by an attacker, reportsmotherboard.vice.com.
The vulnerable socket plugs into a regular one, and allows users to schedule the activity of any dumb electronic device, with the help of a smartphone. The app is available for both iOS and Android platforms, and there have been over 10,000 downloads from Google Play alone, according to the article. Bitdefender contacted the smart socket vendor, which has said they will release a fix during Q3 2016.
Among the most destructive actions someone could perform is to wipe the existing software on the socket and to replace it with malicious one, researchers said.
“Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet,” Alexandru Balan, chief security researcher at Bitdefender, told Motherboard. “This is a serious vulnerability, we could see botnets made up of these power outlets.”
Researchers who analyzed the power outlet have found several security issues, including a weak username and password combination that users are not alerted to change. Experts have also noticed that, during configuration, the app sends WiFi credentials in clear text over the network.
In addition, when the device communicates with the app, the information passes through the vendor’s servers unencrypted. It’s only encoded, a process that’s easily reverse engineered.
Researchers have also discovered that attackers could take advantage of a feature that allows the device to send emails to the user every time it switches on and off.
Bitdefender outlines two possible attacks, which the company tested in an environment similar to the common home. The article continues:
They say hackers can compromise the email account of the user, if two-factor authentication is disabled. Attackers have to know the MAC address of the device and the default password. With that, they can reschedule the smart socket, or access all the information the device come into contact with, including email credentials.
Another hack that can be performed requires a little bit of coding. When typing a password, the “;” symbol can be misinterpreted as the end of a command. Someone might use this to their advantage, and instead of typing a password, they might type instructions for the device to perform a malicious action. Usernames and passwords should be stripped of characters such as commas or semicolons, in order to prevent command injections.
“When an attacker exploits this flaw, the commands specified in the new password overwrite the root password and can open the embedded Telnet service. Using Telnet, an attacker, regardless of his location, can send commands to stop/start/schedule the device, as well as to execute rogue commands, including running malicious firmware to achieve persistence or using the device to perform attacks on other computers or devices inside the local network,” Bitdefender said in a paper.
The consequences for users can can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents, security researcher George Cabau told Motherboard.