There's a lot to like about this hardware, but unfortunately it's entirely overwhelmed by everything there is to hate about it. But before we get to that: I received this product at a discount in return for writing an honest review of it. Onwards!



The packaging is entirely reasonable. There's a small cardboard box, a sheet of instructions, and a piece of hardware securely wrapped in bubblewrap. It's very small, but feels well built. There's no creaking plastic under pressure, and no parts feel loose. Once it's plugged in a blue LED in the button starts blinking, waiting for you to set it up. The app attempts to walk you through the setup, but things start going wrong here.



This system is based on the ESP8266 module, which is a great choice for this sort of application. It's cheap but well featured, and there's a lot of easy off the shelf code that vendors can incorporate into it to cut down development time and ship better products faster. One of the features available is something called "Smart connect", where an app on a phone encodes your wifi password into network broadcasts of different lengths. It's possible to detect these even without the password, so this allows your phone to pass the information on to the socket without having to fiddle about connecting to a different network. Simply hold down the power button to enter setup mode, and the phone does the rest.



At least, it does in theory. In practice it fails for two reasons - the first is that it'll happily try to do this on a 5GHz network, even though the socket only has 2.4GHz support. The other is that the app doesn't have the appropriate permissions to do this on Android 6, so it doesn't work on new Android phones even if you are on a 2.4GHz network. However, it also supports a more traditional setup mode. By holding down the power button again, it turns into an access point. You connect to it and the app sends the network data. Simple.



Again, at least, in theory. In practice the app is looking for a network called "SmartPlug" and this version of the hardware creates a network called "XW-G03", so it never finds it. I ended up reverse engineering the app in order to find out the configuration packet format, sent it myself and finally had the socket on the network. This is, needless to say, not a reasonable thing to expect average users to do. The alternative is to find an older Android device or use an iPhone to do the setup.



Once it's working, you can just hit a button on the app and your socket turns on or off. You can also program a timer. If your phone is connected to the same network as the socket then this is just done by sending a command directly, but if not you send a command via an intermediate server in China (the socket connects to the server when it joins the wireless and then waits for commands). The command packets look like they're encrypted, but in reality there's no real cryptography here at all. I wrote a simple program to decode the packets and looked at them in more detail. There's a lot of unnecessary complexity in the packet format, but in the end the relevant things are just a command and the MAC address of the socket. On the local network this is sent directly to the socket, otherwise it goes via the server in China. The server looks at the address and uses that to decide which socket to pass it on to. Other than the destination, the packets are identical.



This is a huge problem. If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world. You can't set a password to stop them, and a normal home router configuration won't block this. You need to explicitly firewall off the server (it's 115.28.45.50) in order to protect yourself. Again, this is completely unrealistic to expect for a home user, and if you do this then you'll also entirely lose the ability to control the device from outside your home.



In summary: by default this is stupendously insecure, there's no reasonable way to make it secure, and if you do make it secure then it's much less useful than it's supposed to be. Don't buy it.