Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

PSA: Older Wemo Smart Plugs Have Vulnerability That Leaves Them Open to Attack

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,493
37,779


Older Wemo smart plugs from Belkin have a vulnerability that allows them to be hacked, according to a blog post from security researchers at Sternum. The Wemo Mini Smart Plug V2 (model F7C063) from 2019 is vulnerable to a buffer overflow attack that can be used execute commands remotely.

belkin-wemo-v2-mini.jpg

Basically, the Wemo Mini Smart Plug V2 has a 30 character name limit that can be overwritten, leading to an exploitable memory buffer error. Full details on how the exploit works are available from Sternum.

Belkin told Sternum that it has no plans to update the Wemo Mini Smart Plug V2 because it is at the end of its life after four years and has been replaced with newer models. That leaves many potential Belkin customers vulnerable, as there are likely many of these smart plugs being used in the wild.

Sternum recommends that people prevent the Wemo Mini Smart Plug V2 from accessing the internet and communicating with other devices like the iPhone because of the vulnerability, but the safest bet would be to remove the plugs and replace them with something more secure.

Article Link: PSA: Older Wemo Smart Plugs Have Vulnerability That Leaves Them Open to Attack
 
Article Link
https://www.macrumors.com/2023/05/16/belkin-wemo-smart-plugs-vulnerability/
  • Wow
  • Angry
  • Haha
Reactions: Jhonjhon236, iLLUMI and zapmymac
If you bought this product the first day it was available it’s 4 years old. If you were an average buyer it’s about 3 years old. And now Belkin has declared it e-waste because it was defective from the start, and they can’t be bothered to fix it. Thanks to Belkin for helping to destroy the planet faster.☹️
 
  • Like
  • Love
Reactions: S G, appletree4, vmistery and 43 others
As someone affected Belkin is off my list.

What a lazy response “it’s 4 years so we decided screw customers we can’t write software for something you paid for.”

Contributing to more unnecessary e-waste.

I’d happily go back to just using regular switches if, in exchange, all companies like this could just be out out of business.
 
  • Like
  • Love
Reactions: appletree4, allan.nyholm, vmistery and 36 others
bottsjw said:
Yup. Belkin just lost my future business.
What a terrible policy/response.
👋
Click to expand...
Agreed! Given that the firmware could be easily updated, Belkin should do their part to write a quick code update. It also reduces e-Waste so people don’t then either have to get new “smart” plugs or just abandon the idea of “smart” plugs totally.

This is one reason I tend to shy away from so-called “smart” things or IoT. So many of them are so poorly supported. A lot of fanfare when the hardware first comes out, then it soon looses software support, but meanwhile the hardware works just fine but needs firmware/software upgrade. E-Waste!

Edit: somewhat related/unrelated. We have a Ford Fiesta and when we bought it like 6 years ago or something like, it came with something called Sync Services which includes something like sending vehicular ”health” data to a central server which then collects and stores and/or redistributes it to your MyFord account. A few years later, Sync Services went out of commission. So, whenever I run a “Vehicle Health Report” form the car infotainment, it dials a number which then says the service is no longer available etc. etc. Wow. How stupid. Dumb. Another reason not to buy too much into these connected experiences unless you must or it is not that essential. We didn’t pay for Sync Services. It just came with the car, until it didn’t.

The one internet smart device we have is a thermostat from Honeywell that does geofencing. Basically it uses the Honeywell (now Residio) app to geolocate and when a barrier is crossed, the phone sends a signal to a central server which then sends a signal back to our local thermostat. I love the geofencing thermostat as we can keep temperature higher (or lower) when we are away. Very luckily, we are not necessarily dependent on Honeywell’s app or services, because, as most of you probably know, HomeKit also can do geofencing so we could using Apple’s native HomeKit to do the geofencing and control the temp for the thermostat.

Other than this smart IoT device, we have none.
 
Last edited:
  • Like
Reactions: jwilson25, iMerik, TheNewLou and 9 others
How frustrating. I have four of these. It’s already frustrating enough to have to incorporate new ones into my existing HomeKit automations, but now I have to spend $120+ just to have the same lights turn on and off in my existing setup without risking a network attack of some sort. All because Belkin chooses profit over responsibility and customer care. Gross.
 
  • Like
Reactions: vmistery, blob.DK, VulchR and 17 others
Rafterman said:
Yeah, they might switch your lamp on and off to annoy you :)
Click to expand...
I know right? I wish that news sites and blog posts would stop giving some of these "Security Research" companies the publicity. The reality is there is no reason to fear for the vast majority of people because these are the kinds of things that are more effort than they are worth unless it's a targeted attack.
 
  • Disagree
  • Like
Reactions: blob.DK, MaverickCC, mulholland13 and 15 others
Terrible response from Belkin. That's just not how you handle press.
Xials said:
I know right? I wish that news sites and blog posts would stop giving some of these "Security Research" companies the publicity. The reality is there is no reason to fear for the vast majority of people because these are the kinds of things that are more effort than they are worth unless it's a targeted attack.
Click to expand...
Otherwise I agree with this.
 
  • Like
Reactions: arkitect, amartinez1660, JitteryJimmy and 1 other person
One question that I may not have found the answer to because I didn't read every little bit of their blog post... It sounds like this is an issue that can only happen in the setup, like when you already have access to it's wifi network because it isn't paired?

Can you get to this state once it is setup and connected to your local network? Or is this just

IF you are setting it up.. and there is an attacker in wifi range, and they happen to exploit it in the 3 minutes you are setting it up, THEN once it finishes it could have remote access?
If that's the case it is really a non-issue
 
  • Like
Reactions: Blackstick, LlamaLarry, amartinez1660 and 1 other person
I have v3 of this plug, and all I can say is wow. Unbelievable that they released that statement and completely leaves the customers to fend for themselves. I am appalled by their inactions and refusal to offer a solution.

At least give those affected a discount or recall with free replacements for the hassle. I will definitely not purchase anything from Belkin
 
  • Like
  • Love
Reactions: vmistery, dysamoria, MadeTheSwitch and 9 others
Rafterman said:
Yeah, they might switch your lamp on and off to annoy you :)
Click to expand...
Actually, no. If you give any app on your phone permission to your network, then it could exploit your plug. The plug is connected to your WiFi. The exploit could overwrite the firmware to add extra functionality like sniffing your network constantly, issuing remote commands to your devices on your network. This is really far reaching and doesn’t just allow the attacker to control the plug. It gives them full access to your network and the devices on the network.
 
  • Like
  • Wow
  • Angry
Reactions: vmistery, blob.DK, MaverickCC and 22 others
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back