Hacking a $20 WiFi Smart Plug

The Kankun smart plug is an inexpensive device that lets you switch an outlet on and off over wifi. The smart plug only works with an Android or IOS app that ships with the device, which limits its usefulness to turning things on and off from your phone.

In an attempt to make this device more useful, [LinuxGeek] probed the device with nmap and discovered that it runs OpenWRT. After trying various common default passwords he discovered the login was root/admin. While [LinuxGeek] hasn’t sniffed the protocol yet, others have hacked it a bit further. The plug apparently uses UDP packets to communicate with the Android app, but the packets are unfortunately encrypted.

Rather than hack at the protocol, they wrote code that toggles the GPIO pin from a CGI script and developed a small Windows application that hits the CGI script for simple control from a computer. There’s also a Google+ group where more information and a couple other hacks for these plugs are posted. For $20 (from AliExpress) and with a bit of hacking, this smart plug could be a great way to add wireless control to a home automation system.

Hacking the D-Link DSP-W215 Smart Plug

DSP-W215

The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

First, the firmware was unpacked to examine the file system contents. It was found that the smart plug doesn’t have a normal web-based interface as users are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server. A look at the latter’s configuration file revealed the functions that could be called without any authentication. Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks. We’ll let our readers head to the original article to see where the author went from this point.