You have many electrical appliances in your apartment, but not all of them can be controlled remotely. You cannot turn on an iron, electric kettle, or coffee maker remotely. Of course, you can buy smart devices for your kitchen and home that have this function. But it's expensive. A wireless socket is much more efficient and cheaper. This is an advanced solution that is gaining popularity. We will tell you what wireless sockets exist on the modern domestic market of electrical appliances.
Device and functionality
Structurally, the device consists of an executive mechanical module (electromagnetic relay) that connects and disconnects electrical circuits, and a processor that controls it. Any home appliance with a rated power of up to 3.5 kW can be connected to a smart socket. Taking into account this limitation, the user selects a product with functionality suitable for him.
The principle of operation of the device is to remotely influence the loads connected to it. They can be turned on and off according to a pre-entered program or remotely. Remotely controlled sockets can be manipulated (in addition to their programming) by transmitting commands over an established over-the-air channel. For this we use:
- radio control;
- channel for sending SMS messages;
- Internet.
Depending on the chosen method, one or another means of transmitting control messages is used.
Functionality
A smart socket with a remote control or other means of sending packages (from a phone or tablet, for example) is capable of:
- monitor the current state of the included household appliances;
- send notifications about the most important parameters (ambient temperature, network voltage, etc.);
- automatically turn off equipment in case of sudden voltage drops, short circuits, as well as overloads;
- turn on/off devices according to a pre-entered program;
- turn off independently after exceeding the time limit allotted for the operation of a household product.
The more capabilities an outlet has, the more effective its use in controlling home appliances. The only limitation is the requirement for the power of the electrical appliances in use, which should not exceed a given value.
Types of sockets
Smart sockets are classified according to their location and control method. According to the first sign, they are external and built-in. The first ones are installed in a regular outlet in the apartment. Thus, they receive power from a 220 Volt network and the ability to perform their functions. The controlled device is plugged into them like a regular socket (into an easily removable adapter).
Built-in controlled sockets are mounted like conventional products in niches specially prepared for them using a plastic mounting box. For their normal functioning, they will require a connection to an existing residential electrical network. According to the method of control, they are:
- radio controlled;
- with control via GSM (SMS);
- working via the Internet (Wi-Fi sockets).
Socket products with temperature sensors and other auxiliary functions fall under the same classification.
Radio controlled sockets
Devices of this class are controlled by commands sent via radio from a portable remote control with a maximum range of up to 40 meters. The remote control runs on regular batteries, and the outlet itself is powered from the mains.
Depending on the model, the smart set contains up to 8 labeled products and a remote control with the required number of channels. It has on/off buttons, which are arranged in pairs and numbered according to the controlled sockets.
The advantages of radio-controlled smart devices include:
- low cost;
- resistance to electrical interference;
- ease of connection, eliminating the need to change the wiring diagram;
- the ability to manage multiple devices at once;
- efficiency.
The relative disadvantages of these radio products are the limited scope of application due to radio emissions and a high percentage of false alarms. Their disadvantages also include signal attenuation by metal or reinforced elements of building structures.
With GSM control
In appearance, these devices are practically no different from those controlled by radio - they also have standard pin terminals for plugging into a regular socket. On the front panel there are sockets for the electricity consumer, as well as control buttons and indicators on semiconductor elements (LEDs). Depending on the specific device, it includes various sensors:
- determining air temperature;
- monitoring the presence of gas leaks;
- registering the presence of smoke;
- responsive to the position of the door lock.
Inside the product there is a board with a GSM module and a separate slot for a SIM card, as well as a storage capacitor or battery. The latter are used as a backup (emergency) power source, allowing operation in the mode of receiving and storing commands in the event of a power failure.
These products are available in two versions, one of which is equipped with only a pair of sockets for connecting the consumer. The second option has several load outputs and is similar to a network extension cord. With its help, it is possible to implement various scenarios for the operation of several loads at once.
Internet controlled
Devices controlled via the network are positioned as Wi-Fi sockets, because... they can be controlled from the most remote points where there is an Internet connection. These products are available in the form of an adapter or extension. If remote control is required - on a phone, laptop or tablet - you will need to install special software. Thanks to it, the user can, if desired, display a control panel for a set of commands.
After connecting via WI-FI, the outlet is assigned an individual IP address, which allows you to receive and send commands in encrypted form. Individual settings made before installation are saved on the server or in the memory of the device itself. In the second case, they are reset when the power supply is turned off. This category also includes smart sockets with voice control using the Yandex Alice service. If desired, these products can be made by hand. This will require in-depth knowledge of electronics and experience in installing electrical circuits.
We examine the TP-Link HS110 firmware
The next step, the authors downloaded the official firmware for the device HS110(US)_V1_151016.zip and set binwalk on it to analyze the content.
Firmware contents HS110(US)_V1_151016.zip
As you can see, the firmware contains a regular Linux system, consisting of three parts:
- U-Boot Bootloader 1.1.4 (Oct 16 2015 - 11:22:22);
- Linux Kernel 2.6.31 - LSDK-9.2.0_U11.14 ( [email protected] );
- Squashfs filesystem.
The authors found the following interesting files in the file system:
- /bin/busybox v1.01 (2015.10.16 - 03:17+0000).
- /etc/newroot2048.crt - This certificate is used to verify the cloud server. The file contains a VeriSign Class 3 Public Primary Certification Authority - G5 root certificate. This means that when a TLS connection is established to the cloud, it is checked whether the certificate provided by the server is signed using Symantec VeriSign CA for Extended Validation (EV) certificates (CA pinning). An attacker can buy his own EV certificate and use it for his server to make it look like a cloud.
- /etc/shadow - after decryption it turned out that the password is media
root:7KBNXuMnKTx6g:15502:0:99999:7::: - /usr/bin/shd is the main server application.
- /usr/bin/shdTester - client for calibrating the energy screen.
- /usr/bin/calDump - dump calibration data from /dev/caldata.
All the proprietary server logic is in the shd (Smart Home Daemon) executable, which is a MIPS32 R2 Big Endian:
shd: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, corrupted section header size
It also contains OpenSSL 1.0.1j 15 Oct 2014 for establishing a TLS connection to a cloud server.
Connection and setup
Connection, configuration and commissioning of the radio-controlled product are carried out according to the instructions immediately after it is plugged into the sockets of a regular outlet. After moving the smart socket to another location, you will not need to re-configure the radio channel. Some radio models are controlled not only from the remote control, but also using the buttons on the front panel of the device.
The switched on device can be switched off remotely via the Internet
To launch and configure a GSM socket, you will need to install a SIM card with a cash balance in the slot available in it, and this is done on the product taken out of the network. In addition, in the device settings, you should disable the function of entering a PIN code when turned on. It is important to note that these samples are designed to work only with GSM cards - other standards are not suitable for this.
Next, the socket is connected to the mains power source, after which the process of initializing its operation begins. During the process, an authorized phone number is recorded in the device’s own memory, from which commands are received and to which reports on the operations performed are sent. The latter are implemented by sending a digital code given in the device passport to the card. It is formed as a combination of the default password (a series of zeros) and the user's (sender's) phone number. The procedure ends with the receipt of a response message confirming receipt of the previously sent package.
The second option is to call through your mobile phone card number. The answer to the call is to reset the call, confirming the completion of the action. The permissible number of authorized numbers is determined by the specific model of the outlet and is indicated in the product passport. An incorrect authorization procedure will lead to incorrect operation of the GSM socket.
To improve security, once the authorized number has been set up, the previously used default password (a series of zeros) is changed to a more complex one. This can be done by sending a message to the SIM card with the digital code specified in the attached passport. At the final stage, they begin to configure the device, for which each of its functions is assigned a given code, also indicated in the document. To simplify messaging, selected codes are recorded in the phone memory in the form of templates, and they are also assigned to shortcut keys.
Multichannel sockets with SMS function allow the connection of several electrical appliances at once with an individual operating scenario for each device. Generalized instructions for getting ready and putting them into operation have not been developed for such devices, since their setup is individual for each new model. The procedure for its implementation is given in the technical document.
What about our beloved HomeBridge?
The HomeBridge system is not an independent tool for controlling a smart home. As the name implies, this is just a connecting link that allows gadgets from different ecosystems to work in HomeKit.
In other words, HomeBridge is not responsible for sending or receiving control signals, does not participate in automation scripts, and does not control other devices.
Our “raspberry” with a similar “bridge” only recodes signals from ones understandable for gadgets to understandable for HomeKit and vice versa.
All this works great without the Internet. Of course, you can add a plugin, update an existing one, or connect a new gadget only if you have the Internet, and the existing system will work locally.
Conclusion: HomeBridge will not become an unnecessary obstacle to the operation of a smart home in the absence of the Internet.
Expert opinion
Viktor Pavlovich Strebizh, lighting and electrical expert
Any questions ask me, I will help!
The socket is connected to the network, a certain indicator of the device’s readiness for use is expected to light up, as described in more detail in the instructions from the manufacturer. If there is something you don’t understand, write to me!
Rules and selection criteria
Tips for choosing different types of smart sockets:
A radio-controlled device should be selected taking into account the specific location of use and the area of its installation. This will eliminate unwanted signal attenuation and frequent malfunctions. It should be remembered that radio-controlled sockets are only available in external versions.
- GSM products for split systems are selected complete with a backup battery, which allows you to save previously made settings in the event of a network failure.
- The number of connectors for connection must correspond to the expected volume of electrical appliances used.
- The permissible current load reserve cannot be less than 30 percent of the power of the controlled consumers.
In addition to the GSM function, some models provide the possibility of additional control via the Internet. When using such an outlet, the buyer will be able to use an alternative option if one type of connection is lost.
Popular smart plug manufacturers
Among the models with radio control are:
- ARA3-1500 R from COCO International BV with a range of 30 meters and a power of 1.5 kilowatts (number of channels - 3).
- AGDR-3500 from the same manufacturer with a coverage radius of 30-70 meters and a connected load power of 3.5 kW. Number of working channels – 6 pieces.
- UNIEL brands USH-P004 and P009 (G3-1000W-25m and G3-3600W-25m) with the characteristics given in their designation. The number of channels is 3 and 4, respectively.
Popular models of SMS products are represented by smart sockets from Xiaomi, Tp-Link and other samples. A well-known Chinese manufacturer offers a popular Smart Power Plug model, capable of working over the Internet and having a built-in timer. Tp-Link has put up for sale one of its best models, HS100. The socket is controlled via Wi-Fi (Internet) directly from your smartphone.
BusyBox
The provided version of BusyBox from the firmware is affected by the CVE-2011-2716 command injection vulnerability in the udhcpc (DHCP client) component. It allows you to embed commands in one of the following DHCP options:
- (12) Hostname;
- (15) Domainname;
- (40) NIS Domain;
- (66) TFTP Server Name.
After analyzing the executable file, the authors found that shd creates a shell script /tmp/udhcpc.script:
#!/bin/sh if[ $1 = renew –o $1 = bound] then ifconfig $interface $ip netmask $subnet route del default route add default gw $router echo “nameserver $dns” > /tmp/resolv.conf fi
and then udhcpc is executed:
/sbin/udhcpc –b –H “HS100(US)” –i br0 –s /tmp/udhcpc.script
Unfortunately, here the hostname is hardcoded and other options are not used. So the vulnerability is not exploitable.