Vulnerabilities in the Edimax Smart Plug Switch expose home Wi-Fi login credentials and allow attackers to remotely control the device.
The Edimax Smart Plug is designed to plug into any wall socket and allow any connected to it to be turned on or off via a smartphone. Security researchers at BitDefender have identified a number of vulnerabilities in the Smart Plug.
One significant flaw has to do with how the Wi-Fi credentials and user email credentials are stored within the Smart Plug and broadcasted to the mobile app. According to Bitdefender, the Smart Plug stores and communicates Wi-Fi and email account credentails in un-encrypted format, which exposes them to being intercepted.
Additionally, Bitdefender indicates that the Smart Plug ships with a relatively weak default login username and password, and the app fails to advise the user to change the credentials during the setup. This means that most Smart Plugs are likely still running with default login credentials, which makes it relatively simple for a hacker to gain remote access to the device and perform a range of malicious activities including stealing the user’s email login credentials, modifying the device software, and remotely controlling the Smart Plug and whatever device it is connected to.
If you own a Smart Plug device, it is recommended that you change the default name and password for the device via the app, and download and install the patch from the manufacturer when it becomes available. The manufacturer is currently expected to release the patch by the end of September. Until then, it would be advisable not to connect critical hardware to the Smart Plug.