Smart plugs act as window to home network, expert warns

20 May 2021   By Dr Lucy Brown, Editor

Cheap and popular smart plugs may come with unsecure default passwords and be open to tampering before being sold on by potential hackers.

The research by A&O IT Group looked at the Sonoff S26 and the Ener-J WiFi smart plugs to check for security vulnerabilities.

They found the Sonoff S26 came with a simple default pre-shared key (PSK) which was unnecessarily published in the user guide.

Both plugs were also found to be easy to tamper with, leading to questions about whether malicious plugs could find their way into customers homes.

smart plug and phone

Simple security errors

A&O IT Group's team looked at how the smart plugs were paired to their respective mobile phone apps.

The signal broadcast by the Sonoff S26 was secured with a WPA2 pre-shared key (PSK), something the customer doesn't need in order to make the connection work.

However, when the team searched online to see if the PSK had been published, they found it was unnecessarily included in a user guide for a different device on Sonoff's website.

The PSK was also a very basic sequence of eight consecutive numbers when up to 63 characters could have been used to secure the device.

A&O identified this as a major cyber security blunder, especially as they were then able to successfully connect to the wi-fi network broadcast by the smart plug and discovered the network traffic was unencrypted.


The team also looked at how easily the plugs could physically be tampered by opening them up and looking at the chips inside.

Both the Sonoff and Ener-J plugs had casing that was straightforward to disassemble and reassemble without leaving signs behind that it had been opened.

After looking inside, the team created malicious firmware that could be flashed to the device to later steal credentials via the plug's wi-fi network.

Their concern is that such cheap smart plugs can potentially be bought from a manufacturer and maliciously modified before being reintroduced into the supply chain via eBay or other online marketplaces.

They recommended several steps manufacturers could take to secure their plugs, as well as suggesting buyers should take the following steps too:

  • Carefully check a device before use to see if it may have been tampered with
  • Only connect smart plugs to items that wouldn't cause a hazard if they were turned on unexpectedly (avoiding kettles, heaters etc)
  • Make sure other devices on the network have up-to-date security

Further options for the more technically savvy include placing untrusted devices like smart plugs on a separate wi-fi network within the home.

Securing smart homes

This latest research from A&O is a reminder that smart home devices pose potential risks if they are not secured properly.

We've been waiting several years now for such devices to be properly labelled and regulated, with a consultation launched in 2019.

The results of that were published in January 2020 in the form of proposals to ensure passwords for smart devices were unique among other protections.

A second consultation ran during 2020 and it seems the Government finally intends to legislate on these issues according to the most recent update from last month.

Yet critics say the process of making smart devices secure by design is taking too long and is trailing behind the effort to get more people interested in creating smart homes.

Back in 2016, smart devices contributed to a massive distributed denial of service (DDoS) attack that took major websites offline.

independent comparison

We are independent of all of the products and services we compare.

fair comparison

We order our comparison tables by price or feature and never by referral revenue.

charity donations and climate positive

We donate at least 5% of our profits to charity, and we have a climate positive workforce.