According to this article in the Verge, security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.
The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.
When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the issue to not-for-profit cybersecurity org The Mitre Corporation, which then created CVE-2023-27217.
If you’re still using one of these smart plugs, the team recommends avoiding exposure of the Wemo plug’s UPnP ports to the internet and segmenting your network so that they’re isolated from Wi-Fi-connected devices with more sensitive information like your computer or phone. Those are generally good steps to try with internet-connected IoT devices in general, though it’s not a surefire solution in every case: with certain devices, you could lose some or all of their functionality.
The researchers believe this vulnerability is something that could potentially be exploited without physical access.
While not every smart plug will be wide open to the internet, Sternum raises the possibility this flaw could be exploited remotely using cloud controls:
While this wasn’t in the scope of our research, from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device).
This further highlights the need for the abovementioned steps, as the Wemo Cloud infrastructure could be used as a potential attack vector.
Wemo’s current lineup of smart home devices includes a fourth version of this product, the Wemo Smart Plug with Thread, which doesn’t require the internet to function, as is the case for all Thread and Matter devices. That plug is only compatible with HomeKit, however, and Belkin won’t be releasing an updated Matter-compatible version anytime soon.
The above story was written by Wes Davis for the Verge.
Meet the OhmPlug, the smart plug that's not only got all the bells and whistles of other smart plugs but when linked to OhmConnect, can actually *earn* you money! Check out the story of this OhmConnect member whose $11 smart plug earns her $27 back, every year.
Ready to make the switch? Find the OhmPlug on Amazon.
How exactly does eco-mode on smart thermostats work? What’s happening to save you energy and money and what do you need to do?
Smart power strips revolutionize home energy use, automatically cutting power to unused devices and curbing unnecessary expenses.
Despite over a million new electric vehicles hitting the roads in 2023, the U.S. saw a surprising 1.1% decrease in overall electricity consumption
