If Amazon’s ratings are any barometer, the Wi-Fi smart plug is well on its way to becoming one of the most popular IoT products yet devised. If you’re someone for whom the terms Internet of Things and home automation cause no anxiety, it’s not hard to see the appeal. For about $10 and up, any electrical outlet can be turned into the foundation of a smart home, allowing appliances plugged into it to be controlled and monitored across the Internet from outside as well as inside the home.
Lights, heaters, and air conditioning units can be turned on and off at set times, while others such as TVs and computers can be turned off to save standby power. Compellingly, smart plugs integrate with hubs such as Amazon’s Alexa or Google Assistant, allowing all of this to happen using voice commands.
But set one up as I did recently as a learning exercise – TP-Link’s basic Tapo P100 – and issues start to emerge that might not be obvious from the appealing feature list.
“The company gathers certain information about you. Information about you is also used by our affiliated entities and group companies.”
“Other information automatically collected may include your IP address, location, mobile device information, operating system, browser type, demographic information, application information, URL information such as click-through paths, identity of pages you interact with, and other information associated with how you interact with pages and service.”
Of course, if you plan to control the Tapo through a home hub (it will work without one although some smart plugs require integration), you’re probably relaxed about this sort of informational intrusion. You can also limit some of the app permissions on iOS and recent versions of Android.
Smart plugs might look simple but the first thing the Tapo did after initialization was poll for a firmware update. Yes, this is a plug costing $10 that requires updating, which given the version number 2.2.39 presumably happens reasonably often. Despite my qualms about the possibility of something as simple as a smart plug coming with security flaws, this counts as good design by TP-Link. As researchers probe this class of product for security flaws, serious vulnerabilities are now being uncovered in numerous products. It’s also likely that many of the no-brand products on sale are never updated, leaving home users exposed to potentially serious issues until it’s thrown away years later.
In October, the UK consumers’ Association Which? (working with NCC Group pen testers) discovered a significant encryption flaw in TP-Link’s Kasa, the next smart plug up from the Tapo, which it said meant that “an attacker could seize total control of the plug, and the power going to the connected device.” Although the attacker would have to be inside the home network, this is a reminder that every IoT device adds to the security/updating load.
Other brands tested suffered from even more serious issues, including being a fire risk. Conclusion: check that the manufacturer issues smart plug updates (for both plug and app) at least several times a year. It it doesn’t, don’t buy it, no matter how cheap.
One of the draws of basic smart plugs is the ability to turn off as well monitor the power consumption of appliances that might consume small but steady amounts of electricity while on standby. However, it’s important to understand that smart plugs also consume electricity, in the Tapo’s case around 0.9 watts under test. That’s well within acceptable range but if you have several of these running 24×7, even that small draw can add up to running a 20-watt bulb for several hours a day.