Wemo won’t fix Smart Plug vulnerability that allows remote playback – Ars Technica

I once co-owned a co-working space. The space had doors with magnetic locks, locked by a powered relay. My partners and I realized that if we could turn the system on and off, we could control the door lock remotely. One of us had a first-generation Wemo plug, so we plugged it in, and then the programmer between us made a script that, passing Python commands over the local network, unlocked and locked the door.

Sometimes it would occur to me that it was weird that without authentication you could just shout python commands into Wemo and it would switch. I have the same feeling today about a newer generation device that still has fatal flaws.

Security research firm IoT Sternum (revealed) a Buffer overrun issue in Wemo Mini Smart Plug V2. The company’s blog post is full of interesting details about how this device works (and what it doesn’t), but the main takeaway is that you can expect a buffer overflow by passing a device name longer than its 30-character limit — a limit only enforced by apps. Wemo own — using third-party tools. Inside this overflow you can enter a playable code. If your Wemo is connected to the wider internet, it may be hacked remotely.

The other major takeaway is that Wemo maker Belkin told Sternum that it will not fix the flaw because the Mini Smart Plug V2 is “at the end of its life, and as a result, the vulnerability will not be addressed.” We’ve reached out to Belkin to ask if they have comments or updates. Sternum stated that it notified Belkin on January 9, received a response on February 22, and disclosed the vulnerability on March 14.

Sternum suggests avoiding any of these units’ exposure to the wider internet, and subnetting them away from sensitive devices, if possible. However, the vulnerability could be triggered through Wemo’s cloud-based interface.

The community application that makes the vulnerability possible is pyWeMo (Updated version of the version used in my shared workspace). Newer Wemo devices offer more features, but they still respond to network commands sent from pyWeMo without any password or authentication.

Belkin’s Wemo devices have caused smart home security headaches before. In February 2014, security researchers revealed that its devices had leaked passwords through a firmware update workflow; Belkin said it did indeed correct the issues in the firmware update, though it didn’t tell the original researcher nor US-CERT (now the Cybersecurity and Infrastructure Security Agency). In 2019, researchers reported a security vulnerability Reported one year ago by Belkin He was Still a problem.

Wemo’s weak plugs were some of the most popular and simple plugs available, recommended by many smart home guides and apparently bought by thousands of buyers, judging by the reviews. While they debuted in 2019, they are not smartphones or tablets. Four years later, people had little reason to get rid of them yet.

I have a couple in my house who do mundane things like “turn on the string lights on the banister at sunset and turn them off at 10pm” and “turn on the white noise machine when I’m too lazy to get out of bed to do that.” It will be safe from remote code executions once shredded and sorted into component minerals by my regional e-waste facility.

One of the things that would help Wemo devices escape their internet vulnerabilities and lack of end-of-life support is to offer on-premises support only through Matter. However, Belkin isn’t keen on jumping into support for Matter just yet, saying it might offer it in Wemo products once it can “find a way to differentiate it.” One might suggest that Belkin has now presented at least one notable way that its future products could be different.