The security behind: Smart plugs
15/02/2023 Podcast
In this podcast episode, Felix discusses smart plugs and their security aspects. Smart plugs are devices that can turn regular products into smart ones, like controlling a bedside lamp remotely. They can connect via various protocols, such as WiFi, Zigbee, Z-Wave, and more. While there has been some bad press about smart plugs, Felix believes that the criticisms often target the wider protocol or ecosystem rather than the plug itself.
Felix examines two smart plugs he bought: a Z-Wave plug and a WiFi plug. He disassembles them to understand their hardware components. The WiFi plug was completely sealed, making it harder for tampering, while the Z-Wave plug had evidence of hand soldering and a soldered-on Z-Wave module. He identifies flash storage chips on both devices, which may contain firmware or configuration data.
Z-Wave and Zigbee protocols have their vulnerabilities, with Z-Wave allowing mixed networks where not all devices have transmission encryption, raising concerns about protocol fallback attacks. Felix notes that open-source technologies often offer better security assurance compared to proprietary ones, as the latter hides security processes.
Regarding the WiFi plug, Felix points out a common flaw: sending passwords over the air without encryption during the pairing process. While implementers downplay the severity, Felix agrees with journalists that it’s a security risk. Attackers can exploit this to gain access to the WiFi network and other devices.
Felix emphasizes that smart plugs may not be the primary target for attackers; instead, they may aim for the network data or the user’s privacy. He advises caution when selecting smart plugs and recommends using Z-Wave or Zigbee plugs for better security. Additionally, he warns that cloud or internet-connected services associated with smart plugs can introduce additional vulnerabilities. In conclusion, smart plugs can be useful and safe with appropriate precautions.
Felix acknowledges that smart plugs do have their benefits and can be very useful, especially when used with caution. They offer convenience and can be integrated into home automation systems, providing users with greater control over their devices. However, users should be aware of potential risks and make informed decisions when choosing smart plugs, taking into account the security features of the underlying protocols.
To ensure the security of smart plugs, manufacturers should prioritize rigorous testing, regular updates, and the adoption of robust encryption methods. Openly sharing security information and collaborating with the security research community can also help identify and address vulnerabilities. Implementing out-of-band key exchange processes, like using QR codes or pin numbers during pairing, can enhance the security of Z-Wave devices.
As the Internet of Things (IoT) continues to expand, it is crucial for consumers to stay informed about the security risks associated with smart devices. Smart plugs are just one part of a vast ecosystem, and their security vulnerabilities can have broader implications for overall network security. A well-informed and security-conscious approach to IoT devices will help ensure a safer and more reliable smart home experience for everyone.