The Wemo Mini Smart Plug V2, a device that enables users to remotely control anything plugged into it via a mobile app, has a security vulnerability that could enable cyber attackers to remotely turn electronics on and off and potentially gain access to internal networks and other devices. The flaw, designated CVE-2023-27217, has been found to be a buffer-overflow vulnerability that affects the F7C063 model of the device. Sternum, the researchers that identified the vulnerability, notified the device’s maker, Belkin, but they were informed that a firmware update was not forthcoming due to the device being end-of-life.
The Smart Plug, with a four-star rating and over 17,000 reviews on Amazon, is used by consumers and businesses alike, plugging into an existing outlet and connecting to an internal Wi-Fi network and the internet via Universal Plug-n-Play ports. The device can then be controlled via a mobile app, enabling users to control regular electronics wirelessly and integrate other features such as Alexa, Google Assistant and Apple Home Kit, and scheduling.
Sternum researchers named the flaw in the way the firmware handles the name of the Smart Plug. The default name of the device is Wemo mini 6E9, but the firmware allows users to rename it, although the limit has been set to 30 characters. The researchers found that by using the pyWeMo open-source Python module for the discovery and control of WeMo devices, they could avoid the app’s guardrail caused by the 30-character limit, and successfully input a longer name. By doing so, the researchers were able to corrupt metadata of the heap memory, leading to short crashes and buffer overflow, gaining access to reallocate memory. Ultimately, this led to the ability to inject remote commands, establishing access to confidential data and assets.
Igal Zeifman, vice president of marketing for Sternum, has warned businesses not to use this version of the Wemo Plugin within their network, stating that they should either stop using the device completely or at least ensure that the UPNP ports are not remotely accessible. According to Zeifman, IoT devices such as this should have the same level of security as other digital assets like desktops, laptops, and servers. Yet, IoT device security can be a challenge, as vendors continue to struggle with engineering security by design.
With IoT devices becoming increasingly ubiquitous, cybersecurity challenges have been multiplying. According to Gartner, there will be an estimated 25 billion active IoT devices in the world by 2021, with IoT ecosystem breaches are becoming a significant concern. The Wemo Mini Smart Plug V2 vulnerability highlights the importance of device manufacturers prioritizing security by design when producing IoT devices. While device makers typically ensure quick response to known vulnerabilities through firmware updates, these alone may not provide sufficient protection for internet-connected devices. As the Sternum research has highlighted, security must be integrated into the design from the outset, which will reduce both vulnerabilities and risks associated with IoT devices.