According to security researchers from Bitdefender, there is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device and use it for DDoS attacks.
Bitdefender didn't reveal the device's manufacturer but said the company is working on a fix, which will release in late Q3 2016.
IoT electrical sockets are the next big thing in IoT
If you're wondering what's a smart electrical socket, these are small electrical socket extenders, which you can plug into a regular wall socket and add smart management features.
The device comes with a module that allows users to manage power consumption using predetermined limits and schedule the socket to allow usage only between certain hours.
Technically the device can be added to any wall socket or "dumb" device, and add a scheduling component which users can control through a smartphone.
Lack of any encryption exposes local Wi-Fi credentials
According to the Bitdefender's technical analysi s, there are several major problems with this unnamed smart socket.
When users set up the product, they also need to install one of the accompanying iOS or Android apps. These apps allow the user to connect to the smart electrical socket's built-in hotspot and configure it by entering the local Wi-Fi network credentials.
The IoT socket uses these credentials to connect to the local network, and contact the vendor servers, where it sends a configuration file that includes several device details, such as model, make, device name, firmware version, MAC address, and others
Bitdefender experts say that all these network packet exchanges take place without encryption, in cleartext, which an attacker can easily pick-up if sniffing the local network at the right time.
All communications with the manufacturer's servers and between the app and the smart socket takes place using encoded messages, without encryption. Bitdefender says the encoding can be reverse-engineered with ease because the encoding scheme used for the device is publicly available.
The "smart" socket can't be trusted with any type of passwords
Additionally, the device's default admin username and password are easy to guess, even without reading the device documentation.
The device also comes with a built-in feature to send users email notifications when a device scheduled task executes successfully. For this feature to function properly, users must fill in their email account username and password in the device's configuration panel. The device improperly stores these details.
Bitdefender researchers say that an attacker that knows the device's MAC address and default password can take control over the device, rescheduling it, or access data on the user's email account and password.
Unless two-factor authentication is enabled for that email account, an attacker can easily hijack the user's email inbox.
Furthermore, a basic command injection bug exists in the password authentication process. This flaw allows the attacker to authenticate using a password in the form of " some_text;MALICIOUS_CODE ".
This basic security flaw, which comes from the lack of proper password sanitization, allows an attacker to take over the device during authentication, even if he doesn't know the real password.
Did anyone say DDoS?
Bitdefender's Alexandru Balan says that these insecure electrical sockets can, in theory, be added to botnets via rogue firmware updates and used for DDoS, brute-force, or other types of coordinated network attacks.
"This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world," Balan, Chief Security Researcher at Bitdefender, says.
"Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets."