Teardown of a Smart Plug (or Two)
Since I wrote about the teardown of the LiFX Mini white bulb a few weeks ago, Limited Results has gone back and taken a look at a different bulb, the WIZ connected bulb, and this time finding an ESP-WROOM-02 module with an Espressif ESP8266. It was equally hackable.
This left me thinking about how many other commercial Internet of Things smart devices might be hiding the same maker friendly, and entirely hackable, internals. So, ignoring smart bulbs, I decided to go and look at smart sockets.
Heading to Amazon I picked up two, the Teckin SP23 and Blitzwolf BW-SHP4 smart sockets. They’re both fairly cheap, and roughly the same size, and I had a sneaking suspicion they might both be fairly similar inside.
Going ahead and opening the Teckin smart socket with a spudger, and a lot of brute force, it turned out to be built around an Espressif ESP8266 chip, just like the WIZ smart bulb, rather than the ESP32 used by the LiFX smart bulb.
The logic and power boards are entirely separate, with the logic board mounted vertically “through hole” in a slot in the main power board which houses the relay and mains switching hardware.
The main silicon on the logic board is the familiar ESP8266EX chip.
However, there is another interesting piece of silicon on this side of the logic board, a small 8-pin chip labelled HJL-01. The clue to the function of this chip is when we flip the board over. There you can see that the neutral pin of the mains plug is connected through the logic board.
This makes a lot of sense, since the Teckin smart socket features the ability to monitor the energy usage through the plug. While I can’t find any information on the HJL-01, my current bet is that this is the silicon used to do the energy monitoring, and that the HJL-01 is a clone or copy of the HLW8012 chip used in a number of other similar smart sockets.
The only other piece of silicon on the logic board is on the rear of the board, and is a BoyaMicro 25D80, an 8Mbit SPI Flash memory chip.
At this point, for comparison purposes, I went ahead and opened up the Blitzwolf smart plug with the same spudger, and this time a lot more brute force. If you want to be able to put the plug back together and use it again, I’d really recommend a hitting the external case of this plug with a rubber mallet around the sides—to attempt loosen the glue—before prying it open, because it’s really well secured.
The insides of the second plug are superficially similar to the Teckin plug, although as you can see there are differences. The Blitzwolf smart plug is a two sided circuit board, with the through hole components on the top of the board and all the SMD mounted components on the rear, while the Teckin plug uses a single-sided board with through hole and SMD components on the top side.
This difference is a lot more evident when you sit the boards side by side. The Blitzwolf board look a lot cleaner from the top, but only because all the SMD components are hidden on the bottom of the board.
What is similar is that the Blitzwolf board also separates the logic and power boards, with the logic board again being mounted vertically through hole. Interestingly here, though, the mains isn’t routed through the logic board, with the energy monitoring chip being located on the bottom of the power board.
The chip, labelled BL0937 has been seen on other smart sockets, is visible just below the logic board connector towards the top right of the rear of the board.
The logic board has the main silicon covered with an RF shield, prying that off with the supdger I found something rather unexpected.
Instead of the now expected ESP8266, or ESP32, chip we find a rather less common—at least in the maker community—ESP8285 chip.
Under the hood the Espressif ESP8285 is just an ESP8266, but with 1MB of flash memory onboard, which explains the absence of an SPI flash chip similar to the one we saw in with the first plug.
Wiring the BlitzWolf plug to jumper wires and connecting it to USB to poke around with on serial connection is actually pretty trivial as the logic board itself is labelled on the silk screen.
Unfortunately we didn’t get so lucky with the Teckin smart plug, there were no convenient labels on the silkscreen to go by—although the ground and 3.3V pads were pretty obvious—so I had to get slightly more serious.
Soldering a a bunch of wires to the logic board connect, and breaking out my logic analyser the UART pins were still pretty easy to find. Which let me use the esptool suite of utilities to retrieve the contents of the memory, and just loading that into a hex editor let me retrieve the Wi-Fi credentials.
Just like those smart bulbs.
However interestingly, we can go a lot further. Because, as you might well have gathered by now, it seems I was actually treading a well worn path.
Because both of these smart plugs are compatible with the alternative Sonoff-Tasmota open source ESP8266 firmware. This community firmware allows you to control the smart sockets over any of MQTT, HTTP, serial, or even KNX for integrations with other smart home systems.
While reflashing the Blitzwolf BW-SHP4 involves open the plug up, just as I’ve done here, or perhaps more neatly cutting a hole in the base to get to the logic board connectors, you can actually reflash the Teckin SP23 over the air.
While I’d trust the alternative open source firmware a lot more than whatever firmware was running on the plugs before hand, especially when it comes to my privacy and the possibility that these devices might be “reporting home,” opening up these plugs has confirmed what I pretty much already assumed.
There no way to make a computing device really secure. Therefore a modern approach to security is normally all about defence in depth, rather than a single measure that would make a thing secure. However the use of the ESP82xx means that these smart devices lack both secure boot and flash encryption, both are vital if you want to stop the sorts of attacks we’ve seen first with the smart light bulbs, and now with these smart plugs.
They aren’t secure, and they can’t be made secure.
But, it’s all about relative risk. Reflashing these sorts of cheap smart plugs with community written open source firmware eliminates most of the known unknowns.
Just make sure you put them on their own network, rather than the one with your laptops and other personal devices, and don’t give in to the temptation to open ports on your router to allow you to control of them from the Internet.
At which point? They might be secure enough, and they’re certainly fun.