These smart plugs can be hacked and one could even start a fire

Smart plugs are very useful gadgets, letting you switch power on and off to anything from lights to heaters – even hair straighteners. Link them with Alexa or Google Assistant and you can control the plugs with just your voice.

But as convenient as they are, some aren’t as secure as they should be. And buying smart plugs from unknown brands just because they’re cheap on Amazon, ebay or another retailer can open you up to even more risks, such as fires and explosions.

That’s what the latest Which? report shows. It tested 10 smart plugs in August 2020 and found that models from popular brands such as Hive and TP-Link weren’t immune to hacking.

(It found no issues with the £12.99 TP-Link Tapo Mini, which sits at the top of our roundup of the best smart plugs, though.)

It was the older TP-Link Kasa plug was found to have a vulnerability which allowed the testers to take control of the plug and control the switch to the connected appliance.

The hack also opens up the possibility for criminals to attack devices on your home network and potentially access data as well. Another black mark was that TP-Link doesn’t encrypt the email address used to set up the plug, meaning hackers have easy access to it and could use it in phishing scams.

Hive’s Active Plug was found to have a flaw whereby hackers could steal the Wi-Fi password and use it to gain access to all the devices connected to your home network. However, this only happened when connecting plugs to a ‘Tuya hub’, a popular hub that’s used for Zigbee devices.

Which? said that the ‘window of opportunity for attack’ was considerably narrower on the Hive plug than on Innr SP 222 Zigbee 3.0 Smart Plugs and Ajax Online Plugs, which are available on Amazon.

The worst offender was the Hictkon Smart Plug with Dual USB Ports. This has been removed from sale on Amazon pending investigation, but the testers found that it was poorly designed and has the potential to cause a fire because of the proximity of the live connection to an energy-monitoring chip inside.

It’s suspected that the device has fake CE markings.

The security experts carrying out the tests found that Meross plugs didn’t encrypt the Wi-Fi password used during setup, which means a hacker could use this to get free internet, monitor the websites that those using the network are visiting and – as with the similar issue mentioned earlier – compromise any other device connected to that network.

Which? attempted to contact these companies to show them the findings, but received no response from Ajax Online and was unable to contact Hictkon.

Both TP-Link and Hive have been working with Which? to fix the issues discovered, and Meross said it will resolve the problem with its plugs, but it might take over six months to do so.

Smart home kit has been found to be hackable many times in the past, and there’s no doubt there will be more cases like this in future.

Our advice is to buy products from well-known brands and accept that, even then, there is always a risk that there could be security holes. Don’t let that put you off buying any smart home devices: just about every tech product from Windows to Google Nest smart displays have suffered from one vulnerability or another.

It’s also why it’s a good idea to use a device such as a Bitdefender Box, or a router which runs security software that can protect your entire home network.

Antivirus software is great, but it can obviously only protect the devices on which it runs: not your home security cameras, smart speakers and other connected gadgets.

If you’re tempted by a cheap smart plug or another device, research the brand and see if you can find contact details, tech support numbers and signs that it’s reputable.

Also, as Which? points out, you should always change the default password – if there is one – to one of your own choosing.