Researchers found a vulnerability that poses both physical and online security risks for the user.
Smart electrical sockets might launch the next cyberattack, or might even put your life in danger. Security researchers at Bitdefender have found a vulnerability in a popular brand—the researchers did not disclose which—that they say could allow an attacker to turn power outlets into botnets, read your email, and even set your house on fire if you connect an appliance that could overheat.
The vulnerable socket plugs into a regular one, and allows users to schedule the activity of any dumb electronic device, with the help of a smartphone. The app is available for both iOS and Android platforms, and there have been over 10,000 downloads from Google Play alone. Bitdefender contacted the smart socket vendor, and they've promised to release a fix during Q3 2016.
Among the most destructive actions someone could perform is to wipe the existing software on the socket and to replace it with malicious one, researchers said.
"Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet," Alexandru Balan, chief security researcher at Bitdefender, said. "This is a serious vulnerability, we could see botnets made up of these power outlets."
So a squad of hacked smart sockets might be the next security problem the Internet of Things industry witnesses. This comes after we've already seen CCTV cameras turned into zombies, and we're getting ready for the zombie toaster army.
Researchers who analyzed the power outlet have found several security issues. The device comes with a weak username and password combination, and does not alert users to change it. Experts have also noticed that, during configuration, the app sends WiFi credentials in clear text over the network.
"For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network"
In addition, when the device communicates with the app, the information passes through the vendor's servers unencrypted. It's only encoded, a process that's easily reverse engineered.
Researchers have also discovered that attackers could take advantage of a feature that allows the device to send emails to the user every time it switches on and off.
Bitdefender outlines two possible attacks, which the company tested in an environment similar to the common home.
They say hackers can compromise the email account of the user, if two-factor authentication is disabled. Attackers have to know the MAC address of the device and the default password. With that, they can reschedule the smart socket, or access all the information the device come into contact with, including email credentials.
Another hack that can be performed requires a little bit of coding. When typing a password, the ";" symbol can be misinterpreted as the end of a command. Someone might use this to their advantage, and instead of typing a password, they might type instructions for the device to perform a malicious action. Usernames and passwords should be stripped of characters such as commas or semicolons, in order to prevent command injections.
"When an attacker exploits this flaw, the commands specified in the new password overwrite the root password and can open the embedded Telnet service. Using Telnet, an attacker, regardless of his location, can send commands to stop/start/schedule the device, as well as to execute rogue commands, including running malicious firmware to achieve persistence or using the device to perform attacks on other computers or devices inside the local network," Bitdefender said in a paper.
"For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents," security researcher George Cabau said.
The research was carried out by Cabau together with infosec professionals Dragos Gavrilut and Radu Basaraba.