They come with a promise to help people run and monitor a range of gadgets and appliances around the home using a mobile phone.

But a new consumer investigation has found that smart plugs for sale at a wide range of retailers risk exposing sensitive personal data to hackers or create a serious fire risk.

Experts uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.

The probe by Which? working with security consultants NCC Group bought 10 smart plugs available from popular online retailers and marketplaces, and found 13 "vulnerabilities" among nine of the plugs, including three rated as high impact and a further three as critical – all of which they said could pose a "major risk" to people’s homes.

One device had a critical fault that could cause a fire or even an explosion big enough to destroy the device plugged in to it.

Several of the products tested had a "critical vulnerability" that could allow cybercriminals to steal the network password and use that to hack not only the plugs and the hub, but also any other connected products, such as a thermostat, camera or potentially even a laptop.

As well as giving an attacker access to devices, this vulnerability could also divulge information such as when people are in and out of their homes, potentially a gift to criminals.

Which? found the issue with the popular Hive Active plug, available at a wide range of retailers including Amazon, John Lewis, Currys PC World, B&Q and Screwfix, although it said the window of opportunity for attack was smaller than on other devices.

Which? said it believes the latest findings further highlight the importance and urgency of new laws proposed by the Department for Digital, Culture, Media and Sport (DCMS), requiring smart devices sold in the UK to adhere to three basic security requirements.

Which? said none of the plugs Which? tested would currently meet these requirements.

None said at the point of sale how long the product woul be supported with security updates.

And hardly any of the devices Which? tested had a point of contact where it could report the vulnerabilities and problems it found, while many also use default passwords.

Kate Bevan, Which? computing editor, said: “Connected devices like smart plugs bring potential benefits and convenience to our lives, but also significant risks if they are poorly made and sold without any safety checks or monitoring.

“Government legislation to tackle unsecure products should be introduced without delay and must be backed by an enforcement body with teeth that is able to crack down on these devices.

“Online marketplaces should also be given more legal responsibility for preventing unsafe products from being sold on their sites.

“In the meantime, online marketplaces, retailers and manufacturers must be far more proactive in preventing devices with security issues ending up in people’s homes.”

Experts also uncovered a critical issue with users’ wi-fi passwords not being encrypted during the setup of smart plugs, meaning an attacker could steal them.

The investigation found that the Meross Smart Plug WiFi Socket, sold on Amazon and eBay, could allow a hacker to enjoy free internet at the user’s expense, monitor what sites a person is visiting and attempt to compromise other devices that they have connected to the smart home system.

Meross has said it will fix the issue but this could take six months or more.

In another case, testers found a flaw that meant an attacker could seize total control of the plug, and of the power going to the connected device.

Which? said Hive and TP-Link had both engaged "positively" with the findings and are in the process of fixing the respective issues with their products.

Which? is also in ongoing talks with Meross which has said it will fix the issue but this could take six months or more.

Hive said: “We thank the Which? team for bringing this to our attention. Protecting our customers from cybercrime is paramount and we are actively working with the Government and industry peers to ensure smart technology has rigorous security measures in place to ensure data privacy.

“We agree any potential vulnerability is serious and we will be reviewing their full findings to evaluate the seriousness of this claim. However, from what we have seen to-date, and as verified by Which?, the risk to our customers brought about from this scenario is extremely low due to the small window of opportunity, the customer interaction required and the need to be in close proximity to the devices. If any of our customers have concerns they can contact us directly to discuss.”