Smart plugs risk exposing sensitive data to hackers or creating a serious fire risk in the home, an investigation by consumer champions Which? has found.
Internet-connected 'smart' plugs let users turn standard appliances on and off remotely via an app on their smartphone.
But smart plug makers like TP-Link, Hive and Hictkon all have products open to vulnerabilities making them liable to hazards, and are on sale through retailers including Amazon Marketplace and eBay.
One plug made by Hictkon is so dangerous that it 'should not be sold' due to the fire risk it presents to people in the home, according to Which?.
Online retailers should take more responsibility for the safety and security of the products sold on their sites even if the seller is a third-party, Which? says, adding that government intervention is needed.
Which? experts suspect the Hictkon Smart Plug (pictured) came with a fake CE safety marking and is 'so dangerous that it should not be sold'.
'Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring,' said Kate Bevan, computing editor at Which?.
'Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.
'Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites.
'In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people's homes.'
Controlled by an app, a smart plug lets users turn on and off any appliance that plugs into a standard wall socket.
They give users remote control over standard appliances that would normally be plugged into the mains.
Users need to plug their smart plug into any standard wall socket and plug their chosen appliance into it.
The chosen appliance doesn't have to be a smart appliance.
With an accompanying app, the smart plug controls when the appliance plugged into it is turned on and off.
Which? bought 10 smart plugs available from online retailers and marketplaces.
Products ranged from well-known brands such as TP-Link and Hive to more obscure names such as Hictkon, Meross and Ajax Online.
Which? worked with security consultants NCC Group to test the 10 smart plugs for security and safety in August 2020.
Experts found 13 vulnerabilities among nine of the plugs.
Three of these were rated as 'high impact' and another three as 'critical' – all of which could pose a major risk to people’s homes.
One device had a critical fault that could cause a fire or even an explosion 'big enough to destroy the device plugged in to it'.
Which? said the Hictkon Smart Plug with Dual USB Ports, which was available on Amazon Marketplace, has been poorly designed.
Its major issue is that its live connection is far too close to an energy-monitoring chip.
This could cause an arc – a luminous electrical discharge between two electrodes – which poses a fire risk, particularly to older homes with older wiring.
Which? experts suspect the Hictkon Smart Plug came with a fake CE safety marking and is 'so dangerous that it should not be sold'.
Amazon has since taken this smart plug off sale pending an investigation and the old webpage for the product now redirects to the Amazon homepage.
Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, has a smaller window of opportunity for cyber attackers than other plugs, Which? said
Which? said: 'Anyone who has purchased one of these devices should unplug it and stop using it immediately.'
Meanwhile, other smart plugs were deemed a cybersecurity risk rather than posing an immediate physical threat.
Several of the products tested had a critical vulnerability that could allow cybercriminals to steal the network password.
This could be used to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially a laptop.
This issue allegedly emerges when users connect two plugs – the Innr SP 222 Zigbee 3.0 Smart Plug (available on Amazon and eBay) and Ajax Online plugs (available on Amazon) – to a Tuya hub, a commonly used hub for connecting devices using the Zigbee specification.
As well as giving an attacker access to devices, this vulnerability could also divulge information like when people are out of their homes, which is 'potentially a gift to criminals', Which? said.
Innr claimed this issue was more with the Zigbee implementation on the hub used in the testing.
Ajax also said in a statement to MailOnline that this is not an issue caused by the plugs but the Tuya hubs.
'We have contacted Tuya directly and informed them of this