IoT (h)army: hacking the smart switch

I purchased a pair of Teckin SP10 smartplugs. They were on sale for $8 each, they fluctuate up and down, are available in round, square, 1-pack,2-pack,4-pack, lots of options. I did this on the thesis that:

  1. They would be a disaster for security
  2. They would probably have an esp8266 in them for simple hacking

I'm pleased to report that both turned out to be true! Look @ the attached packet capture and you will see for yourself (dump.pcap). In a nutshell, they run a public MQTT server, all these devices contact it. You can use that bus to upgrade them (imagine me pushing new firmware to a widget in your house, and that widget can be a WiFi AP and Client for great man-in-the-middle attacks against your other devices). Its got a bit of control on it (there is some password which is defined by the mac of the device... can't imagine that number being guessable!). Hmm.

So let's dremel it open (side note: it seems you can just apply some heat and wiggling to break the ultra-sonic weld, but who has time for that!).

OK, we're in. That little module standing vertically is indeed an ESP8266-01. The serial ports is indeed exposed underneath, so programming it is simple.

But, turns out there is an even simpler way. Install this git repo and plug in the device, boom, running Tasmota. And now I can setup the device from a simple web interface, assign it to my private MQTT server, and from there my HomeAssistant. And now we are good to go, no Internet needed, security is much stronger.

This is actually quite a good device for the price. Since it has the esp8266 its both more and less hackable than the KanKun I did earlier. I kind of wish I had got the rectangular ones, but they were 'much more expensive' at ~$15/each. They also have a power-bar one with 4 outlets. Hmm, so many choices!

So, tl;dr: this device has decent hardware. The software and app worked very well (surprisingly, they are usually terrible). The security was a 2/5, I mean, its unlikely your house will be burned down, but, well, a moderately skilled hacker could use it to get access to traffic from other devices in your home. THe hackability is high, its now running secure on my TLS-based MQTT, on my private network, with my own HomeAssistant (meaning I don't worry about it being bricked if they give up like Lowes did).

So, I do recommend. Get your hack on.

Leave a Reply

Your email address will not be published. Required fields are marked *