Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
PSA: Older Wemo Smart Plugs Have Vulnerability That Leaves Them Open to Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
I have SEVEN Wemo smart plugs. I guess I'm not smart. Good news is that all are V3 or V4. Bad news is that in a few years, a flaw with these will be found and I will be in the same boat as V2 owners.
I think I may have a first gen wemo smart plug somewhere. It was definitely purchased before 2019. I’m assuming it’s still okay.
Maybe not fixing bugs is part of their sales strategy. Maybe the large appliance makers ( like refrigerators etc. ) will adopt the same strategy as internet is implemented in their products. Just a reminder that IoT can have additional costs beyond the purchase. Another industry taking advantage is HVAC. Many manufacturers force the homeowner to buy their proprietary “communicating” thermostats and they are expensive( one manufacturer allows standard thermostats even on their 20 SEER variable speed units but they are the exception)
Yours is more advanced than mine 🤣
I use this one because some things are best when they're simple
GE 15 Amp 24-Hour Plug-In Dial Basic Timer 15131DI - The Home Depot
www.homedepot.com
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
Looks like I have to replace mine.
With a competitor.
With a competitor.
What an absolute RUBBISH response from Belkin. My $39 x 7 outlets was ok 4 years ago though. I will absolutely replace my plugs, with another company's!
Bye Belkin.
Bye Belkin.
Belkin’s response is one of the many reasons I’ve stopped using their products, the most important one being that their products are overpriced garbage.
Actually, they couldn't get control with ALSR turned on (which it is by default), so this isn't really that important.
That's a pretty bad response from belkin.
Just reeks of contempt for their customers.
Just reeks of contempt for their customers.
4 years old? Just throw them in the trash!
-Belkin
-Belkin
Hacker can attack your devices on your network from inside your network. Hacker can perform denial of service attack using your device.Yeah, they might switch your lamp on and off to annoy you
Smart home idea is brilliant. It's just that you'd end up in the hands of manufacturers and hope that they keep supporting your devices for long.
A simple plug usually last for decades, but now it's 3 - 4 years top before EOL and leave you with e-waste or limited functions.
A simple plug usually last for decades, but now it's 3 - 4 years top before EOL and leave you with e-waste or limited functions.
I didn’t have this version but rather the stubbier square version 2,3,4? Costco was selling a light switch and plug combo a few years ago for $35, and I thought that was a good deal for a HomeKit compatible kit.
It never worked correctly. I gave up and return them to Costco, glad I did.
4 years is horrible for support. Will not buy another Belkin.
My old [5+ years old] iDevices (indoor & outdoor switch) work great. I even got a firmware update in the last year!
I bought the newest version (2022) of the Kasa [Homekit] outdoor switch, and it has received 2 firmware updates in the last year! The app is more than decent as well. 👍👍
Belkin is buddy-buddy with Apple, and has stuff in Apple stores as well, kinda shocking imo
It never worked correctly. I gave up and return them to Costco, glad I did.
4 years is horrible for support. Will not buy another Belkin.
My old [5+ years old] iDevices (indoor & outdoor switch) work great. I even got a firmware update in the last year!
I bought the newest version (2022) of the Kasa [Homekit] outdoor switch, and it has received 2 firmware updates in the last year! The app is more than decent as well. 👍👍
Belkin is buddy-buddy with Apple, and has stuff in Apple stores as well, kinda shocking imo
Eh. It gives them an opening into your LAN. Now they can use your internet connection as a proxy or a member of a botnet, which is bad enough. But if they wanted to, it's also an opening to begin looking for vulnerabilities on local devices. A visitor using your wifi probably isn't running opportunistic scripts on all of the devices on your network just because they can and might get lucky, but somebody who has exploited your smart plug surely will.
You also have to think... how many people use the default router password? Or bother to update their router firmware? Now you have a better place to stay than a smart plug and everybody on the network talks to you. Now you can poison their DNS, become a man in the middle, serve them fake pages, monitor all of the traffic on the network, etc.
Plus it would be trivial to collect networks and wait for easily exploitable vulnerabilities to crop up. Most people aren't exactly religious about updating, so they would probably have plenty of time.
Downplaying vulnerabilities like this isn't the way to go.
Belkin isn’t fixing it because the exploit works via a direct connection. This is a nothing burger, BUT if they left it at that, they’d have done all that work for zero social media buzz. SO, at the very end, they put:
“Note: While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).
This further highlights the need for the abovementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.”
Belkin basically told them, “No, we’re not going to fix this because if someone is already in someone’s house tearing apart their device to get physical access… they would likely not be wasting their time tearing apart their device as most people would likely notice someone in their house before they could accomplish anything.”
Their use of “could” is security doublespeak for “With all the other vectors of attack that are VASTLY simpler than this, it would never be used in the wild, but it COULD be sooooooo…. please like and share out our content?”
For any stories like this, ALWAYS look for the attack vector. If the attack vector is “physical access”, well congrats to the security researcher, EVERY system has physical access as a potential attack vector. I don’t even need to be a security researcher to know that.
“Note: While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).
This further highlights the need for the abovementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.”
Belkin basically told them, “No, we’re not going to fix this because if someone is already in someone’s house tearing apart their device to get physical access… they would likely not be wasting their time tearing apart their device as most people would likely notice someone in their house before they could accomplish anything.”
Their use of “could” is security doublespeak for “With all the other vectors of attack that are VASTLY simpler than this, it would never be used in the wild, but it COULD be sooooooo…. please like and share out our content?”
For any stories like this, ALWAYS look for the attack vector. If the attack vector is “physical access”, well congrats to the security researcher, EVERY system has physical access as a potential attack vector. I don’t even need to be a security researcher to know that.
Last edited:
Blowing up a “requires physical access” vulnerability like this isn’t the way to go either. Especially for a respectable security company. Guess that tells us all we need to know about this one.
Well Belkins response is ridiculous. I too, immediately thought "I'll never buy another belkin thing", then I remembered Im waiting for their "BOOST CHARGE PRO 3-in-1 Wireless Charger with MagSafe" to arrive ;-P
I have 4 of the mini smart plugs V2 (F7C063) and 1 v3 or v4 (WSP080).
Late last year I started moving to HUE bulbs and now have 5 of them. The connection to the HUE bridge is awesome. The Belkin plugs lose their connectivity every so often, which is inconvenient. Having said that, when they do work, they are handy especially around the holidays.
Looks like I got my first 2 in may 2019 then another 2 later that year and the v3/v4 in Dec 2020. The 4 v2's were from Costco so I think I'll bring them back there. Think they were $20 for 2 on sale.
A lot of Belkin items seem to be "cheap", so maybe the answer is to move to the Philips Hue plugs, but they run at about $35 each...
I have 4 of the mini smart plugs V2 (F7C063) and 1 v3 or v4 (WSP080).
Late last year I started moving to HUE bulbs and now have 5 of them. The connection to the HUE bridge is awesome. The Belkin plugs lose their connectivity every so often, which is inconvenient. Having said that, when they do work, they are handy especially around the holidays.
Looks like I got my first 2 in may 2019 then another 2 later that year and the v3/v4 in Dec 2020. The 4 v2's were from Costco so I think I'll bring them back there. Think they were $20 for 2 on sale.
A lot of Belkin items seem to be "cheap", so maybe the answer is to move to the Philips Hue plugs, but they run at about $35 each...
That’s… one way to respond. I wish Belkin the best of luck getting future business from anyone who reads that, lol. 😂
Also… end of its life after four years? What?! I understand Belkin wants repeat purchases and would like people to replace their smart plugs as often as possible… but it’s a plug. I kept my iPhone 8 for longer than four years.
Last edited:
I'm getting to the age now where I shall be very happy to fit my house, in retirement, with as little "Smart Tech" as I can get away with. Yes I'll continue to enjoy my iPhone, Apple Watch and MacBook just as I do now. I don't think I want or need anything else at all connect to the Internet thanks. Somehow I'll manage to turn my own switches on and off and notice when I need to buy some more eggs or fruit juice. I will continue to avoid the incredibly tedious Siri. The grandchildren will doubtless come around and think of me like I thought of my grandmother with her black and white television. And so the cycle of life continues...
How about they just push out an update? It's not like it would take them long to patch it and the updater still works via the app.
Never buying their products again. I bought these in mid-2020 for crying out loud! It hasn't even been 3 years for me.
Not to mention their wall switches randomly disconnecting showing a red light. Or the fact that if I have the switch on in my bedroom that controls the fan, it's so bright that it lights up the room and I had to put a sticker over it.
Belkin is a pretty terrible company and they need to die off already. They're behind the curve in every way from technologies to security to policy.
Never buying their products again. I bought these in mid-2020 for crying out loud! It hasn't even been 3 years for me.
Not to mention their wall switches randomly disconnecting showing a red light. Or the fact that if I have the switch on in my bedroom that controls the fan, it's so bright that it lights up the room and I had to put a sticker over it.
Belkin is a pretty terrible company and they need to die off already. They're behind the curve in every way from technologies to security to policy.
DLink did the same thing with their smart plugs November last year. Just switched them off. No recourse.
They’re all bastards. At least Philips stuff keeps working without cloud connection. I just don’t bother throwing money away on anything requiring a cloud connection any more. It’s just a huge future headache in the making.
They’re all bastards. At least Philips stuff keeps working without cloud connection. I just don’t bother throwing money away on anything requiring a cloud connection any more. It’s just a huge future headache in the making.