Bitdefender has discovered vulnerabilities in a popular brand of ‘smart' electrical socket which could lead to attacks on your local area network or the recruitment of the IoT device as part of a global botnet.
Smart electrical sockets are used in homes, offices and elsewhere to give the user remote control over electrical power and to monitor the status of the power supply. This particular brand comes with an app which, the researchers report, has been downloaded over 10,000 times from the Google Play Store.
Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau found they could remotely open a telnet session with the device. This would enable an attacker to execute rogue commands from anywhere, including running malicious firmware and using the device to attack other computers or devices on the local network.
They also found that during setup, the mobile app transfers the Wi-Fi username and password in clear text over the network.
Device to application traffic is routed through the vendor's servers and the information is only encoded, not encrypted, which means that it can be decoded using readily available software.
The IoT device can also be configured to send email notifications to the users, but the user must give the device their email account credentials to enable this feature.
Alexandru Balan, Chief Security Researcher at Bitdefender. “Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets.”
“One of the most destructive actions an attacker can take is to rip off the existing software and plant malicious software in its place,” says George Cabau, antimalware researcher at Bitdefender. “For users, the consequences can extend to losing control of all their network-connected devices as they become weapons of attack in a cyber-criminal network, as well as to exposing their email accounts and their contents.”
Bitdefender declined to name the vendor who has been informed of the vulnerabilities in line with Bitdefender's responsible disclosure policy. The socket vendor is reportedly working on a fix to be released in Q3 of 2016.