Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

PSA: Older Wemo Smart Plugs Have Vulnerability That Leaves Them Open to Attack

I don't really blame Belkin here, they aren't alone in not fixing severe security issues on product that has reached the end of support.
When we buy a cheapo Android device, cheap IoT things and when the manufacturer only make money at the point of sale this is something we have to learn to live with.

I can see a few solutions going forward but a majority won't like it since it kills off the cheap products we love to buy so much.

* Have laws saying that if you are manufacturing things that are going to be connected to the internet you are need to provide updates for at least 10 years after the product has reached EOL
* Sell it as a service where updates are provided.
* Offer a subscription where updates are available (then the manufacturer make money throughout the life cycle)
* Educate people in "you get what you pay for".


Just imagine what will happen to all the cars that are released now that are hooked up to the internet......we will need manufacturers to support them for a long time.

Fixing security flaws isn't free, just look at our favourite Apple devices. Even if Apple make money from them they won't update them after a few years.
 
  • Like
Reactions: Tagbert
Aston441 said:
DLink did the same thing with their smart plugs November last year. Just switched them off. No recourse.

They’re all bastards. At least Philips stuff keeps working without cloud connection. I just don’t bother throwing money away on anything requiring a cloud connection any more. It’s just a huge future headache in the making.
Click to expand...
Absolutely. Several years ago, we had to replace our garage door openers. One model we came across touted its internet connectivity allowing you to control the door through the internet. I was thinking that these mechanical devices can outlast the software or Cloud server support. No thanks. I want a dumb device, not a smart one precisely because software or cloud service support can’t be trusted to be around.
 
  • Like
Reactions: arkitect
CausticSoda said:
I'm getting to the age now where I shall be very happy to fit my house, in retirement, with as little "Smart Tech" as I can get away with. Yes I'll continue to enjoy my iPhone, Apple Watch and MacBook just as I do now. I don't think I want or need anything else at all connect to the Internet thanks. Somehow I'll manage to turn my own switches on and off and notice when I need to buy some more eggs or fruit juice. I will continue to avoid the incredibly tedious Siri. The grandchildren will doubtless come around and think of me like I thought of my grandmother with her black and white television. And so the cycle of life continues...
Click to expand...
I hear ya. Many years ago, I was visiting a dear professor. This was back in the late 2000s and the professor was in her 60s, so not old. She still had an old TV, the kind that looks like furniture — wood console, chunky, and sits on its own on the floor. Of course it was a cathode ray tube which by then had long gone out of fashion. I think this was an RCA. It was like going back in time. This dear professor passed away 10 years later, unexpectedly. :(

Yeah I feel that I’m one of those who by not adopting smart devices may soon be among those whom others regard as behind the times.
 
  • Like
Reactions: arkitect
macduke said:
How about they just push out an update? It's not like it would take them long to patch it and the updater still works via the app.
Click to expand...
No patch they could release could prevent an attacker with physical access to the device from undoing it.
 
msackey said:
Apple’s support for their hardware typically goes on for much longer than a few years. I believe they’re supported actively for 7 and then after that are often supported mostly via updates to security. For example, https://www.macworld.com/article/675021/how-long-does-apple-support-iphones.html
Click to expand...
I agree, Apple do support some of their devices a bit longer than other competitors. But the ONLY reason for this is that they make money from that their devices are being used.
This isn't the case for most manufacturers and the reason why we need to have a think about other ways of how we consume connected devices in the future.
 
I’ve railed against Wi-Fi IoT devices many many times before on here. They keep proving me right - Don’t go Wi—Fi. It’s literally a trojan horse onto one’s home network. I’m skeptical of any IoT solution that requires a single IPv4 address. These devices are like ticking time bombs on your network, just waiting to subject your Wi-Fi IoT this kind of tomfoolery. As we can see, the biggest problem is that companies do not find it necessary to maintain their products’ security.

I prefer to take the risk away; and leave the on/off switch to work as a switch - not as a standalone web server with a switch built in.

I use a properly security maintained hub (Universal Devices’ eisy) which I interface with Homebridge. I have dozens of different options for switches- mostly have a collection of old Insteon* devices that are still good after 15 years, and I now buy Zwave too. Both smart switches communicate with the hub at 900 MHz. It’s literally rock solid reliable and works when my internet connection and WiFi doesn’t. I bet will continue to work for at least another 10 years or more.

If there’s ever a major issue, Universal Devices will upgrade the operating system. They maintained their last hub - the ISY994i for over 10 years. If that’s not possible, I can replace the hub, and I’m not out $100s in switches.

* everybody had a right to hate on Insteon closing the business, and being resurrected by customers, but it wouldn’t change the fact that everything continued to work with my non Insteon hub… and I didn’t notice that the company failed. Remember, Belkin can’t even maintain one product for 4 years.
 
  • Like
Reactions: Aston441, msackey and arkitect
msackey said:
I hear ya. Many years ago, I was visiting a dear professor. This was back in the late 2000s and the professor was in her 60s, so not old. She still had an old TV, the kind that looks like furniture — wood console, chunky, and sits on its own on the floor. Of course it was a cathode ray tube which by then had long gone out of fashion. I think this was an RCA. It was like going back in time. This dear professor passed away 10 years later, unexpectedly. :(

Yeah I feel that I’m one of those who by not adopting smart devices may soon be among those whom others regard as behind the times.
Click to expand...
Hopefully not!
Personally I don't think having smart devices plugged in all over the house is a marker of how tech savvy a household is.

Even though we own none of these smart plugs, we have pretty much all the latest gear. I know the stuff is out there, but what benefit would they bring me? (Well, maybe a cat feeder would be handy at 5:30am)

Both my husband and me know how to switch the lights on and off… we don't need a smart fridge to tell us we're out of eggs — or wine — I know that! 🤣

Mind you, we are 59 and 56 years old… so it is probably an age thing.
 
  • Like
Reactions: msackey
IoT device is hackable.


Screenshot 2023-05-17 at 10.38.56.png
*shocked Belkachu*
 
  • Haha
  • Like
  • Love
Reactions: Tagbert, MadeTheSwitch, Luke MacWalker and 5 others
jz0309 said:
Well, that says it all about Belkin…
100% never will I buy a Belkin product.
Click to expand...
Did you miss where their routers, at one point, were randomly redirecting http requests to their adspace?

Most of us stopped buying their garbage at that point.
 
Just google "Bruce Schneier IoT security" and you'll see this is a big problem in general with smart home devices. Best to put them on their own network, have some sort of regular routine of checking for updates, and stay aware of which devices are not really supported as far as updates go.
 
  • Like
Reactions: zapmymac, LlamaLarry, EvilMonk and 2 others
Oh my. I know my ex has a few of these and I have at least 1 not in use. Although not foolproof, I added all IoT devices to their own network for reasons just like this. It’s not a bad idea if you’re in a position to do so.
 
Oh year another “smart” device showing vulnerability. Idk, how about the idea of, uh, not using one at all?
What’s wrong with old fashion power points? Simple LED lights? Simple switches?
Belkin is screwing customers yes, but that‘s the price you are gonna pay for “smart home”. Vote with wallet and force Belkin to reconsider.
Although I have to say it is unlikely Belkin would be hurt by this.
Let’s manufacture more e-waste and expedite planet destruction.
 
Belkin told Sternum that it has no plans to update the Wemo Mini Smart Plug V2 because it is at the end of its life after four years and has been replaced with newer models.
Click to expand...

let's jail the CEO of belkin for this kind of behavior
 
I have 4 of those Belkin smartplugs with my 2 TP-Link casa smartplugs, 6 Casa Smart WiFi Wallswitches w/dimmer, a Ring wifi doorbell camera, 2 outdoor cameras (1 google nest floodlight cam mounted under the roof over the garage door and 1 TP-LINK Tapo over the sliding door / under the roof of 2nd floor balcony with an auto spotlight.

Where I did things different is that they're all on a guest network that has no access to my main network. Only internet. And it all works well.
 
bottsjw said:
Yup. Belkin just lost my future business.
What a terrible policy/response.
👋
Click to expand...
this is an overreaction from what I read of the exploit.
Someone would need to be on your network for the plug to even hear, never mind operate on the "change your name" command.
Even if they do that, they're limited to running code on the plug itself and the device is a peripheral that receives and acknowledges, and completes commands. Best I can tell is they might be able to send commands to other IoT items on the network which has both a low probability of danger and success.
Apple has a similar support tail of five years from date of last sale to stop providing hardware support and software updates.
 
msackey said:
Apple’s support for their hardware typically goes on for much longer than a few years. I believe they’re supported actively for 7 and then after that are often supported mostly via updates to security. For example, https://www.macworld.com/article/675021/how-long-does-apple-support-iphones.html
Click to expand...
You're VERY much over-stating Apple's support.

5 years from last sale is vintage. Almost all hardware and softare support stop. There have been a few instances of Apple issuing a critical software security update for non-current software but I think the longest backward support was two previous versions for an active zero-day exploit.
At 7 years the devices are considered obsolete and no have support from Apple for hardware or software. A recall is still possible, otherwise all issues are your own. Ex: the 1st Genn iPod Nano

Search Apple Support

support.apple.com support.apple.com
 
C'mon, the fear and loathing about this is totally absurd. The only feasible attack vector is someone, somehow getting into your home wi-fi network and then hacking your light switch? This sounds like a bad Mission Impossible episode of hackers in darkened rooms with screens full of gibberish. If someone can get into your wi-fi you have bigger problems than worrying about them messing with smart switches.
99.99% of hacking is stealing passwords via phishing or malware downloaded from a website, not technically difficult tom-foolery.
 
  • Like
Reactions: Unregistered 4U
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back