IoT (h)army: hacking the smart switch

I purchased a pair of Teckin SP10 smartplugs. They were on sale for $8 each, they fluctuate up and down, are available in round, square, 1-pack,2-pack,4-pack, lots of options. I did this on the thesis that:

  1. They would be a disaster for security
  2. They would probably have an esp8266 in them for simple hacking

I’m pleased to report that both turned out to be true! Look @ the attached packet capture and you will see for yourself (dump.pcap). In a nutshell, they run a public MQTT server, all these devices contact it. You can use that bus to upgrade them (imagine me pushing new firmware to a widget in your house, and that widget can be a WiFi AP and Client for great man-in-the-middle attacks against your other devices). Its got a bit of control on it (there is some password which is defined by the mac of the device… can’t imagine that number being guessable!). Hmm.

So let’s dremel it open (side note: it seems you can just apply some heat and wiggling to break the ultra-sonic weld, but who has time for that!).

OK, we’re in. That little module standing vertically is indeed an ESP8266-01. The serial ports is indeed exposed underneath, so programming it is simple.

But, turns out there is an even simpler way. Install this git repo and plug in the device, boom, running Tasmota. And now I can setup the device from a simple web interface, assign it to my private MQTT server, and from there my HomeAssistant. And now we are good to go, no Internet needed, security is much stronger.

This is actually quite a good device for the price. Since it has the esp8266 its both more and less hackable than the KanKun I did earlier. I kind of wish I had got the rectangular ones, but they were ‘much more expensive’ at ~$15/each. They also have a power-bar one with 4 outlets. Hmm, so many choices!

So, tl;dr: this device has decent hardware. The software and app worked very well (surprisingly, they are usually terrible). The security was a 2/5, I mean, its unlikely your house will be burned down, but, well, a moderately skilled hacker could use it to get access to traffic from other devices in your home. THe hackability is high, its now running secure on my TLS-based MQTT, on my private network, with my own HomeAssistant (meaning I don’t worry about it being bricked if they give up like Lowes did).

So, I do recommend. Get your hack on.






10 Responses to “IoT (h)army: hacking the smart switch”

  1. alex

    ota flashing doesnt work anymore. i’ve opened my plug up and it looks quite difficult to access the ports to flash, and the mother chip appears to be soldered down. will i have to desolder to access the ports?

    1. db

      got some hi-res photos of each side?

  2. dave

    FYI, the apparently Teckin SP10 underwent a design change: I just received a set, and opened one, and this one is implemented with a RealTek RTL8710BN (instead of the ESP8266). This RealTek chip is functionally similar to the Espressif, but quite different as it is an ARM based device.
    Interestingly, Longtour Photology did /not/ update their FCC registration to reflect this BOM change (especially since it affects the RF part).
    Anyway, I imagine this will affect hackers wanting to build and burn alternative firmware, so I thought I’d record that finding here.

    1. db

      Good thing its simple to find out which it has inside 🙂 /s

    2. I just picked up a pair of Teckin SP20 with the RTL inside.
      Same annoyance. Indistinguishable from the ESP version from the outside. Same FCC number, same part number, completely different radio.
      RTL8710BN is out to eat the ESP8266’s lunch.. perhaps it’s coming time to port Tasmota?

      1. db

        sadly it seems to be locked.
        but, its pinout compatible w/ the esp 01 module, some people have swapped.

        but if you port tasmota you’ll be a hero. particularly if its OTA program.

        i got one of them and opened it the hard way 🙂

        1. Jayme Snyder

          Yeah I too have opened one the hard way. Really, much of Tasmota is not really relevant to those of us bummed about the WR2/WR3 Tuya modules. I also have a Realtek InkBird IHC-200 wifi humidity sensor relay that I want to use as the fan controller for my greenhouse. I recently contributed a patch for the InkBird ITC-308 which is almost identical to allow the temperature to be reported.
          The hard work of reverse engineering the TuyaMCU has been done by the Tasmota guys, and as you pointed out, people have been successful swapping the Realteks with the esps.
          I opened up the dialogue with the Tasmota guys and they think that there’s going to be little success and little interest in porting the current Tasmota. I’m considering building something limited to just TuyaMCU & MQTT support. Did you actually try to connect to the RTL with the Arduino IDE?

        2. Justin

          I want to try swapping out the boards. Is there any documentation of people doing this or how well it works?

          1. db

            yes, some online have posted about swapping the realtek for esp8286 modules, sameish pinout.
            shows the replacement that is in some of the newer ones that tuya convert doesn’t handle.

  3. Jayme Snyder

    Also, it seems most of my ESP devices I am finding are also not working with the latest TuyaConvert. Maybe the days of the OTA exploit are done, for now.

Leave a Reply

Your email address will not be published. Required fields are marked *