Several severe vulnerabilities have been identified in one of the most popular brands of smart sockets. The affected devices allow malicious users to infiltrate the victim networks. The brand has not been disclosed as patches have not been released yet.
The smart sockets reveal the victim networks to cyber criminals
The Internet of Things (IoT) has presented yet another security vulnerability that raises serious concerns. The smart sockets allow their owners to switch on and off devices, monitor energy usage and prevent overheating. Control is managed through remote control means by mobile applications. The vulnerable product has been analyzed by a team of Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau. The target device is installed and managed by the vendor’s Android and iOS applications. The smart sockets are connected to the consumer Wi-Fi network during setup and registered with the vendor’s servers with information such as the device’s name, model number and MAC address.
The discovered issues were related to the default configurations of the device. The manufacturer has not informed their customers that leaving the devices with the default username and password combination poses severe security risks.
The other issue is the transfer of the network’s Wi-Fi credentials in clear text. This allows anyone to intercept the secret information using standard tools. According to the security team, the built-in security features can easily be disabled.
The smart sockets provide email notification features that require the username and password of the user’s inbox. If an attacker gains access to the devices using some of the known vulnerabilities, they can potentially hack the email account as well.
The password requests may also be used to inject arbitrary code, thereby making the device owners vulnerable to a wide variety of attacks, including Trojans and ransomware installations.
Malicious users can potentially create large botnets of hacked smart devices. The affected smart socket vendor is currently working on a security patch that will be released in the third quarter of this year.