They come with a promise to help people run and monitor a range of gadgets and appliances around the home using a mobile phone.
But a new consumer investigation has found that smart plugs for sale at a wide range of retailers risk exposing sensitive personal data to hackers or create a serious fire risk.
Experts uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.
The probe by Which? working with security consultants NCC Group bought 10 smart plugs available from popular online retailers and marketplaces, and found 13 "vulnerabilities" among nine of the plugs, including three rated as high impact and a further three as critical – all of which they said could pose a "major risk" to people’s homes.
One device had a critical fault that could cause a fire or even an explosion big enough to destroy the device plugged in to it.
Several of the products tested had a "critical vulnerability" that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially even a laptop.
As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes, potentially a gift to criminals.
Which? found the issue with the popular Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, although it said the window of opportunity for attack was smaller than on other devices.
Which? said it believes the latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements.
Which? said none of the plugs Which? tested would currently meet these requirements.
None said at the point of sale how long the product woul be supported with security updates.
And hardly any of the devices Which? tested had a point of contact where it could report the vulnerabilities and problems it found, while many also use default passwords.
Kate Bevan, Which? computing editor, said: “Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.
“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
“Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites.
“In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.”
Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.
The investigation found that the Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense, monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.
Meross has said it will fix the issue but this could take six months or more.
In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device.
Which? said Hive and TP-Link had both engaged "positively" with the findings and are in the process of fixing the respective issues with their products.
Which? is also in ongoing talks with Meross which has said it will fix the issue but this could take six months or more.
Hive said: “We thank the Which? team for bringing this to our attention. Protecting our customers from cybercrime is paramount and we are actively working with the Government and industry peers to ensure smart technology has rigorous security measures in place to ensure data privacy.
“We agree any potential vulnerability is serious and we will be reviewing their full findings to evaluate the seriousness of this claim. However, from what we have seen to-date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices. If any of our customers have concerns they can contact us directly to discuss.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here