The research by A&O IT Group looked at the Sonoff S26 and the Ener-J WiFi smart plugs to check for security vulnerabilities.
They found the Sonoff S26 came with a simple default pre-shared key (PSK) which was unnecessarily published in the user guide.
Both plugs were also found to be easy to tamper with, leading to questions about whether malicious plugs could find their way into customers homes.
A&O IT Group's team looked at how the smart plugs were paired to their respective mobile phone apps.
The signal broadcast by the Sonoff S26 was secured with a WPA2 pre-shared key (PSK), something the customer doesn't need in order to make the connection work.
However, when the team searched online to see if the PSK had been published, they found it was unnecessarily included in a user guide for a different device on Sonoff's website.
The PSK was also a very basic sequence of eight consecutive numbers when up to 63 characters could have been used to secure the device.
A&O identified this as a major cyber security blunder, especially as they were then able to successfully connect to the wi-fi network broadcast by the smart plug and discovered the network traffic was unencrypted.
The team also looked at how easily the plugs could physically be tampered by opening them up and looking at the chips inside.
Both the Sonoff and Ener-J plugs had casing that was straightforward to disassemble and reassemble without leaving signs behind that it had been opened.
After looking inside, the team created malicious firmware that could be flashed to the device to later steal credentials via the plug's wi-fi network.
Their concern is that such cheap smart plugs can potentially be bought from a manufacturer and maliciously modified before being reintroduced into the supply chain via eBay or other online marketplaces.
They recommended several steps manufacturers could take to secure their plugs, as well as suggesting buyers should take the following steps too:
Further options for the more technically savvy include placing untrusted devices like smart plugs on a separate wi-fi network within the home.
This latest research from A&O is a reminder that smart home devices pose potential risks if they are not secured properly.
We've been waiting several years now for such devices to be properly labelled and regulated, with a consultation launched in 2019.
The results of that were published in January 2020 in the form of proposals to ensure passwords for smart devices were unique among other protections.
A second consultation ran during 2020 and it seems the Government finally intends to legislate on these issues according to the most recent update from last month.
Yet critics say the process of making smart devices secure by design is taking too long and is trailing behind the effort to get more people interested in creating smart homes.
Back in 2016, smart devices contributed to a massive distributed denial of service (DDoS) attack that took major websites offline.
Get insider tips and the latest offers in our newsletter
We are independent of all of the products and services we compare.
We order our comparison tables by price or feature and never by referral revenue.
We donate at least 5% of our profits to charity, and we have a climate positive workforce.