0

Are smart plugs safe, Xiaomi ones in particular (Zigbee and WI-FI versions)?

My main concern is that the plug is connected to Mi account and allows remote management. In case hacker gains access, can he reboot it dozens of times per second, so that would lead to spark, shortage and ultimately cause fire?

Should I be concerned about physical safety buying such devices?

Peter
  • 127
  • 7
  • If you are asking about physical safety, then information security is the wrong place to ask. – Josef Oct 15 '20 at 15:09

2 Answers2

2

Consumer grade IoT Devices are not known for their security, so from the perspective of "Can it be hacked" ... I would say most likely. From a brif overview of what it is and how it works, it sounds like it could easily be subject to a man-in-the-middle attack.

In terms of the "reboot it dozens of times per second, so that would lead to spark, shortage and ultimately cause fire" ... this would be a question for https://electronics.stackexchange.com although it most likely can be determined by looking at its UL Certification.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • UL is unlikely to take the device being hacked, and turning the thing on/off 1000 times into consideration. – Steve Sether Oct 15 '20 at 17:39
  • 2
    it will deff take the on/off 1000x times into consideration – CaffeineAddiction Oct 15 '20 at 19:32
  • @CaffeineAddiction could you elaborate on a man-in-the-middle attack? For example this attack is possible to happen in LAN: attacker stands between Mi hub and Zigbee/Wi-Fi smart plug. The second option, I am somewhere in the coffee shop and my connection is intercepted so malicious commands are sent directly from my Mi account control room. Are these both options possible? Is there a way to protect from it? – Peter Oct 17 '20 at 07:14
  • @Peter well in the scope of wifi ... if they had a wifi router with the same SSID as the one it should be connecting to ... they can force a deauth and get it to connect to the rogue router ... from there they could intercept all traffic which ... a) might be unencrypted b) if encrypted might be using a key that is flashed onto the hardware ... eg they buy another device and dump the firmware to obtain the same key as yours. c) they strip the SSL through some other means. Likewise ... Zigbee isnt exactly a paramount of security either, and while im not familiar its prob even less secure. – CaffeineAddiction Oct 22 '20 at 06:44
  • Power cycling something a 1000 times a second is not just a fire risk for the switch but also for whatever is plugged into it, which is more difficult to determine. – schroeder Oct 24 '20 at 07:21
0

This is a difficult question to answer because it involves an inter-disciplinary approach, and thus knowledge of several domains.

As another poster mentions, IoT devices haven't historically been very secure. The dangers of turning the thing on/off multiple times a minute is going to vary greatly with the design of the specific product. Unless someone does actual testing or has specific knowledge of the device, even the folks over at electronics are unlikely to give you a good answer if the thing is dangerous or not. Any consumer electronic device is going to be rated for "typical usage", not doing something strange like turning it on/off every two seconds for 12 hours.

Personally I'd be more concerned about the thing turning into a piece of trash in 3-5 years. Any device that relies on outside infra-structure to work means that you're suddenly completely dependent on it. If the cloud provider goes out of business, drops support for version X, you could very quickly have an expensive paperweight.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76