Critical Unresolved Security Flaw Detected in Belkin Wemo Smart Plugs
Belkin's Wemo Mini Smart Plug's second-generation model has been identified to have a significant buffer overflow vulnerability. This security flaw could potentially be exploited by cybercriminals to remotely execute arbitrary commands.
The vulnerability, designated as CVE-2023-27217, was unearthed and reported to Belkin by Sternum, an Israeli IoT security firm, on January 9, 2023. Sternum's team was able to discover this flaw by reverse-engineering the device and gaining access to its firmware.
The Wemo Mini Smart Plug V2 (F7C063) provides users with the convenience of remotely controlling electronic devices through a companion app on a smartphone or tablet.
The vulnerability originates from a feature that allows users to rename the smart plug to a more user-friendly name. By default, the device is named "Wemo mini 6E9."
Security researchers Amit Serper and Reuven Yakar noted in a report to The Hacker News that the name length is restricted to 30 characters or less. However, this rule is only enforced by the app, not the firmware code.
This means that by using a Python module named pyWeMo to bypass the character limit, a buffer overflow condition can be created. This condition can then be exploited to either crash the device or manipulate the code to execute malicious commands, thereby gaining control over the device.
Belkin has responded to these findings by stating that it does not intend to rectify this vulnerability. The reason given is that the device is nearing its end-of-life (EoL) and has been superseded by newer models.
The researchers warned that this vulnerability could potentially be activated via the Cloud interface, even without a direct connection to the device.
In light of the lack of a fix, it is recommended that users of the Wemo Mini Smart Plug V2 avoid connecting them directly to the internet. If these devices are used in sensitive networks, appropriate segmentation measures should be implemented.
Igal Zeifman, Sternum's vice president of marketing, commented on the situation, saying, "This is the outcome when devices are released without any built-in protection. If manufacturers rely solely on reactive security patching, they will always be one step behind attackers, and eventually, the patches will cease to be released."
