Unpatched Wemo Smart Plug Bug Leaves Numerous Networks Vulnerable to Cyberattacks

May 16, 2023

The Wemo Mini Smart Plug V2, a device that enables users to remotely control appliances connected to it through a mobile app, has a security vulnerability (CVE-2023-27217) that makes numerous networks susceptible to cyberattacks. Attackers can exploit the flaw to remotely control electronics and potentially infiltrate internal networks or compromise additional devices. The Smart Plug is used by both consumers and businesses, connecting to an internal Wi-Fi network and the internet via Universal Plug-n-Play (UPNP) ports. It integrates with Alexa, Google Assistant, and Apple Home Kit, and offers features like scheduling for added convenience.

The security flaw, discovered by researchers at Sternum, is a buffer-overflow vulnerability affecting model F7C063 of the device, which allows remote command injection. However, when the researchers contacted Belkin, the device manufacturer, they were informed that no firmware update would be provided, as the device is considered end-of-life. Despite this, the researchers believe that many of these devices are still being used, with sales on Amazon alone possibly reaching hundreds of thousands. Igal Zeifman, vice president of marketing for Sternum, noted that this is a conservative estimate of the attack surface.

Zeifman advised businesses using this version of the Wemo Plugin to either stop using it or ensure that the UPNP ports are not exposed to remote access. He emphasized that if the device is connected to a critical network or asset, the situation is not ideal. The vulnerability lies in the way the firmware handles the naming of the Smart Plug. Users can rename the device using the "FriendlyName" variable, which has a 30-character limit imposed by the mobile app. However, Sternum researchers found that connecting directly to the device via pyWeMo, an open-source Python module, allowed them to bypass this limit and input a longer name. The researchers discovered that any name longer than 80 characters corrupted the metadata of the heap, leading to short crashes, buffer overflow, and the ability to control memory re-allocation.

Zeifman commented that the vulnerability is not difficult to exploit and could potentially be carried out via Wemo's cloud infrastructure option. He explained that an attacker would need either network access or remote UPNP access if the device is open to the internet. In the absence of a patch, users can take some mitigating steps, such as ensuring that the Smart Plug is not exposed to the internet, which would make exploitation more challenging. Sternum provided some common-sense recommendations for users.

The research highlights the ongoing struggle of Internet of Things (IoT) vendors with security by design. Zeifman emphasized that IoT devices should have the same level of endpoint security as other assets, such as desktops, laptops, and servers. Relying solely on responsive security patching leaves devices vulnerable, as patches will eventually stop being released.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.