Security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.
The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.
When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the issue to not-for-profit cybersecurity org The Mitre Corporation, which then created CVE-2023-27217.
If you’re still using one of these smart plugs, the team recommends avoiding exposure of the Wemo plug’s UPnP ports to the internet and segmenting your network so that they’re isolated from Wi-Fi-connected devices with more sensitive information like your computer or phone. Those are generally good steps to try with internet-connected IoT devices in general, though it’s not a surefire solution in every case: with certain devices, you could lose some or all of their functionality.
After initial publication of this story, Belkin spokesperson Cassie Pineda said the vulnerability will be addressed, and added that the company does not believe it could be exploited outside of a user’s local network, contrary to Sternum’s thinking.
While not every smart plug will be wide open to the internet, Sternum raises the possibility this flaw could be exploited remotely using cloud controls:
While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).
This further highlights the need for the abovementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.
Wemo’s current lineup of smart home devices includes a fourth version of this product, the Wemo Smart Plug with Thread, which doesn’t require the internet to function, as is the case for all Thread and Matter devices. That plug is only compatible with HomeKit, however, and Belkin won’t be releasing an updated Matter-compatible version anytime soon.
Update May 17th, 5:40PM ET: Updated with comment from Belkin.