PSA: Older Wemo Smart Plugs Have Vulnerability That Leaves Them Open to Attack

[Aston441]

Imagine a world where the humble plug socket is end of lifed.

Oh.

This will happen to automobiles.

 

[Aston441]

You're VERY much over-stating Apple's support.

5 years from last sale is vintage. Almost all hardware and softare support stop. There have been a few instances of Apple issuing a critical software security update for non-current software but I think the longest backward support was two previous versions for an active zero-day exploit.
At 7 years the devices are considered obsolete and no have support from Apple for hardware or software. A recall is still possible, otherwise all issues are your own. Ex: the 1st Genn iPod Nano

Search Apple Support

support.apple.com

Agree. I had some iPod touch (5th gen or 6th) that had support ended the day it stopped being for sale).

 

[chrfr]

this is an overreaction from what I read of the exploit.
Someone would need to be on your network for the plug to even hear, never mind operate on the "change your name" command.

This is incorrect. If UPnP is enabled, then the Wemo V2 is vulnerable from the internet:

‘FriendlyName’ Buffer Overflow Vulnerability in Wemo Smart Plug V2 | Sternum IoT

Manufacturer chooses not to patch the Sternum-identified buffer overflow vulnerability (CVE-2023-27217) in the Wemo Mini Smart Plug V2.

sternumiot.com

 

[polyphenol]

Such products should have several conditions imposed before sale:

• Publish a binding intended minimum life;
• Publish a binding policy on timescales to issue fixes;
• Publish a binding policy if fixes become impossible;
• Publish a binding policy on releasing information that would be required for third-party support;
• Require compensation if conditions not met.

These policies being backed up by insurance, escrow (for code), etc. with punitive damages if broken.

And these policies being required (at least in summary) on advertising and promotional material.

Obviously, if a company sets a minimum life of one month, we can take our custom elsewhere.

Also, if the device consists of two or more parts, they need to be viewed together. For example, a switch and a controller – neither useful without the other functioning.

Obviously, this is wishful thinking. But some part of it might be possible.

 

[Aston441]

ETA oops, replied to wrong post

 

[PBG4 Dude]

Yeah, they might switch your lamp on and off to annoy you

A Vegas casino got hacked and had a bunch of money stolen from them because of a weakness in an internet-enabled fish tank thermometer. If they get into your network, it becomes much easier to move around it. You prob don’t have millions of dollars at risk, but you may have login/password details that could theoretically get lifted from a home computer.

 

[maxfromdenmark]

Oh, they are already attacked, just looks on their that poor face 😦

 

[Stromos]

Costco was selling these for a long time I have two of them only one is being used but it’s my lamp in the living room. Yeah call it overreacting but since that lamp is in a ton of routines replacing even the one plug is a pain I have to put in the new likely Kasa plug then update all routines to use the new plug.

 

[npmacuser5]

Yup. Belkin just lost my future business.
What a terrible policy/response.
👋

A trend by All technology companies. End of life means end of everything.

 

[npmacuser5]

Yeah, they might switch your lamp on and off to annoy you

Does not take much computing power to snoop on one’s network. The plug could find a computer on the network. Same with a smart speaker, the snooping part.

 

[ChromeAce]

So if my bedridden elderly mother loses push button control of her portable air conditioner in her Dallas apartment on a 100-degree Summer day, her death is on me.

End of life, indeed.

Thanks, Belkin. Better hope you don’t get sued.

 

[autistic-savant]

more...

 

[John_Apple]

So sounds like moving these smart devices to their own network is the way to go.
I only have 1 of the 4 Belkin v2 plugs in use as well as 1 v3/v4. Also have the following devices I’d have to move to their own / guest network: 1 Amazon plug, nest thermostat, 1 Samsung indoor camera, 4 ring cameras and 1 doorbell, 1 Samsung and 1 LG smart TV, 1 LG dishwasher, 1 LG fridge, 1 Samsung washer, 1 Samsung dryer. 5 hue light bulbs, 3 hue playbars…but at least they use the hue bridge.
Gawd, what a d@mn PITA.

 

[steve123]

Regulators should consider that tech companies should be compelled to open source their software when they announce their product is end of life or no longer support the product. Otherwise, they should be compelled to offer support and distribute a fix within a mandated time period after a vulnerability is disclosed.

Belkin is buddy-buddy with Apple, and has stuff in Apple stores as well, kinda shocking imo

Indeed, Apple should yank all Belkin products from their stores to send them a clear message.

 

[jsalda]

Belkin is crap. Tried one of the newer smart plugs (from the Apple Store) and could never get it to pair up, promptly returned. They were once a really good and dependable company. Bought EVE Energy and haven't looked back.

 

[Blackstick]

chetp@belkin.com send him your thoughts. I just did.

 

[redheeler]

This is fairly low-level and difficult to exploit. The source article is a good read for those interested in C, assembly language, or buffer overflow attacks, but even as someone who majored in CS it was pretty hard for me to follow.

Manufacturers refusing to provide security updates is still a good reason to avoid smart home devices, as if we even needed another...

edit: Getting more of the gist of it on the second read, I enjoy very technical articles like this

 

[Unregistered 4U]

So if my bedridden elderly mother loses push button control of her portable air conditioner in her Dallas apartment on a 100-degree Summer day, her death is on me.

End of life, indeed.

Thanks, Belkin. Better hope you don’t get sued.

Only if you’re responsible for the locks on her doors OR responsible for an extremely weak Wi-Fi network setup (something like the name of the access point is “ThePasswordIsElderyMother”). Because that’s the only way anyone can get to the device.

 

[Stromos]

This is fairly low-level and difficult to exploit. The source article is a good read for those interested in C, assembly language, or buffer overflow attacks, but even as someone who majored in CS it was pretty hard for me to follow.

Manufacturers refusing to provide security updates is still a good reason to avoid smart home devices, as if we even needed another...

edit: Getting more of the gist of it on the second read, I enjoy very technical articles like this

Only if you’re responsible for the locks on her doors OR responsible for an extremely weak Wi-Fi network setup (something like the name of the access point is “ThePasswordIsElderyMother”). Because that’s the only way anyone can get to the device.

Note: While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).

This further highlights the need for the aforementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.

 

[Mousse]

Yeah, they might switch your lamp on and off to annoy you

This would be a useful hack to get people to think their house is haunted. Have a sound machine whisper "get out" occasionally to boost the effect.😁 Doubtful you would scare someone out of their home in today's housing market. "My house is haunted? I'm gonna find that ghost and make 'em pay rent."🤨

 

[redheeler]

Note: While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).

This further highlights the need for the aforementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.

IMO they need something to back up this claim. The attack was carried out with direct commands to a device on the same network. A web-based configuration interface or API will have its own validation constraints in place.

 

[VulchR]

Yeah, they might switch your lamp on and off to annoy you

A friend of mine used to run around the neighbourhood with a universal TV remote and turn people's TV's off. (same sort of thing for electric garage door remotes)...

Anyway, we really need to get away from the idea that a perfectly good electronic device should simply be trashed after 4 years. It's costing the planet. I would hope these plugs would be patched so they are still usable.

 

[Daytona 360]

Remember: The "S" in "IoT" stands for Security.

 

[harriska2]

Actually, no. If you give any app on your phone permission to your network, then it could exploit your plug. The plug is connected to your WiFi. The exploit could overwrite the firmware to add extra functionality like sniffing your network constantly, issuing remote commands to your devices on your network. This is really far reaching and doesn’t just allow the attacker to control the plug. It gives them full access to your network and the devices on the network.

Well this makes me want to invest in smart stuff 🙄 Not.

 

[dysamoria]

Are we not in the year 2023? 30-character limit on a user-entered value? Next you're going to tell me it doesn't support mixed case, or that it does, but it's case-sensitive...

This is almost as bad as when I go to certain websites (especially government) which refuse to allow passwords longer than 8 characters.

Too many characters received, but we've not written a handler for that, so, here you go, direct CPU/RAM access...

This industry is a disaster and almost nobody is willing to see it.