EcoPlug Wifi Switch Teardown and SW Hacking

[scootermcgoober]

I bought some cheap wifi power sitches from HomeDepot and was dissapointed to find out that they only worked with the manufacturers (terrible) app.  I looked at dissecting the protocol to control them (Just a UDP packet with special formatting) then I decided to open it up.  Inside there was what looked like an esp8266.  I managed to figure out the pinout of the non-standard module and attach a USB to Serial device.  In the end I wrote some basic firmware and reflashed it. Good thing too; packet captures show this thing sends your SSID and PW to an external server in plaintext!

Apparently these switches are manufactured by KAB Enterprises and resold under a variety of brands (including Woods WION series).  There are some other examples here: http://www.kab-cable.com/product.php?CNo=27

My teardown and how-to is here:


The pinout and link to the software are available here:
http://thegreatgeekery.blogspot.ca/2016/02/ecoplug-wifi-switch-hacking.html

Scott

[Dielectric]

This is really good stuff.  I was in Lowes today, didn't see anything that looked similar though.

Are you serious that it sends your SSID and password to an external server in plaintext?  That is so far beyond stupid as to be malicious.

[johnkenyon]

Are you serious that it sends your SSID and password to an external server in plaintext?  That is so far beyond stupid as to be malicious.

The linked article says that the PCB has provision for measuring power consumption.

My money is on the ESP software sending the data back to the "mothership" where it needs some kind of unique identifier to distinguish between one user and another, and which can be linked back to a specific customer. So the database on the external server uses MAC+SSID+PASSWORD as a unique identifier which correlates to Ecobox+customer.

The problem started when they decided to flog the remainder of their stock with no power monitoring to Home Depot, but couldn't be arsed fixing the software...

[HAL-42b]

Are you serious that it sends your SSID and password to an external server in plaintext?  That is so far beyond stupid as to be malicious.

That's The Internet Of Things for ya.

[eas]

Are you serious that it sends your SSID and password to an external server in plaintext?  That is so far beyond stupid as to be malicious.

The linked article says that the PCB has provision for measuring power consumption.

My money is on the ESP software sending the data back to the "mothership" where it needs some kind of unique identifier to distinguish between one user and another, and which can be linked back to a specific customer. So the database on the external server uses MAC+SSID+PASSWORD as a unique identifier which correlates to Ecobox+customer.

Perhaps, though the MAC should be good enough for that purpose. If it weren't, the MAC + SSID and/or the MAC of the default gateway.

So, like so many things, it is probably the result of a combination of stupidity and evil, in unknown proportions.