Sonoff & Tuya smart plugs found to transmit unencrypted passwords

There are many low-cost smart plugs based on ESP8266 that provide a convenient way to control lights or home appliances with your smartphone. But cybersecurity firm A&O IT Group found vulnerabilities in ITEAD’s Sonoff S26 and Ener-J Wi-fi (Tuya) smart plugs that would allow an attacker to easily access your wireless network.

The first security vulnerability is pretty common and hard to exploit since it’s only a concern during the setup.  Sonoff S26 starts itself into access point mode with ITEAD-1001xxxxxx SSID, and is set up through the eWelink app with the user not needing to know the password. But with older firmware is was needed, so ITEAD still shares the default password: 12345678 in the user manual, and it can be used to connect to the smart plug by anyone. But once configured, it’s not accessible anymore as the smart plug should be in client mode connected to your router with your own credentials. So that’s not ideal, but not such a big issue.

Sonoff Tuya security vulnerability

The second issue is more concerning as the smart plug communicates over HTTP instead of HTTPS and shares some data that can be easily captured with tools like WireShark:

The data above could potentially be used to connect to the cloud, but what concerns Richard Hughes, head of technical cybersecurity, A&O IT Group the most is that the SSID and password of your router are also shared in plain text over HTTP. So an attacker within range of your router could capture the credentials to join the user’s WiFi network and attempt to exploit other connected devices within your home or launch bot attacks on the Internet.

A quick way to partially mitigate this is to set up a guest SSID for your IoT devices, so your other devices with important data are not accessible, and configure the firewall with only the service needed by your device such as MQTT. This is explained in detail on Tasmota website.

Talking about Tasmota, that’s another way to make your device secure: simply install the open-source firmware on your device and configure TLS if your plug supports it (mostly memory/storage requirements). In the past, you did not even have to open the device, but the trick may not work anymore, so the device may have to be open, and the firmware flashed through the serial port.

Having said that, A&O IT Group considers the ability to fairly easily flash the firmware to be a security vulnerability, but to many CNX Software readers, it’s more like a feature with Tasmota, ESPhome, and ESPurna open-source firmware offering more secure alternatives. ISPReview who first published the news, list some interesting “solutions” for manufacturers which include:

  • Glue or weld plastic enclosures so that it is more difficult to tamper with a device without leaving evidence in the form of cosmetic damage to the enclosure.
  • Use hardware that requires a cryptographically signed firmware image.
  • Coat components and connections required for dumping/flashing firmware with an epoxy resin, the removal of which would damage the components leaving the device inoperable.

Hopefully, ITEAD will not follow those recommendations as it would negatively impact users who want to flash their own firmware or repair the device, but will instead work on fixing the firmware and the first two vulnerabilities listed in this post. We contacted ITEAD for comment yesterday, but have not received a reply yet. I’ll make sure to update the post when/if we get a reply.

Thanks to TLS for the tip.

Share this:

Support CNX Software! Donate via cryptocurrencies or become a Patron on Patreon

ROCK Pi 4C Plus
Notify of
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
Weller PCB manufacturer