IoT security company Sternum has discovered a vulnerability in one of Belkin’s smart home devices. Read on for the details about how the Wemo Mini Smart Plug V2 flaw can be exploited for remote command execution and why Belkin has decided not to patch it.
Sternum found the flaw specifically with the Belkin Wemo Mini Smart Plug V2 which works with HomeKit, Google Assistant, and Amazon Alexa.
After reaching out to Belkin about the security issue, Sternum was told that “the device is at the end of its life and will not be patched.”
The tough part is there are likely hundreds of thousands of the V2 version out in the wild (note: Version 4 is the latest model Belkin is selling which does not suffer from the flaw).
Wemo Mini Smart Plug V2 flaw
After talking with Belkin, Sternum shared the full background and details on the flaw today. Here are the highlights:
- Wemo Mini Smart Plug V2 is managed by a mobile application, that allows its user to change the device name (a.k.a. ‘FriendlyName’)
- The name length is limited to 30 characters or less but the rule is only enforced by the app itself (not enforced by firmware).
- Through a process of reverse engineering, we saw that circumventing the character limit resulted in a buffer overflow.
- Through experimentation, we learned that we could obtain a measure of control and predictability over how the overflow occurred.
- Leveraging these findings, we were able to demonstrate how the vulnerability can be used for command injection.
- We reached out to Belkin (the device manufacturer) with our findings. However, the company informed us that the device is at the end of its life and will not be patched. Meanwhile, it’s self to assume that a lot of these devices are still deployed in the wild.
- Following the company’s response we reached out to MITRE and informed them of the vulnerability, leading to them issuing CVE-2023-27217.
- We recommend that device users will take some precautions, specifically limiting the device’s exposure to the Internet and internal/sensitive networks.
While Sternum isn’t certain of it yet, it believes the vulnerability “could be triggered via the Cloud interface (meaning, without a direct connection to the device).”
What to do if you have a Wemo Mini Smart Plug V2?
Since Belkin won’t be issuing a patch for the device, Sternum recommends:
- Avoid exposing the Wemo Smart Plug V2 UPNP ports to the internet, either directly or via port forwarding.
- If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.
But of course, if those steps don’t fully resolve concerns or you’re not quite sure how to execute them, the safest option is to stop using the Wemo Mini Smart Plug V2.
For all the fine details, check out Sternum’s full breakdown of the flaw.
FTC: We use income earning auto affiliate links. More.
Comments