Sternum Researchers Find a Serious Security Flaw in Belkin's Wemo Mini, Which Will Remain Unpatched

Belkin washes its hands of the popular smart plug, saying that it's official end-of-life — and leaving a serious security flaw unpatched.

Security researchers at Sternum have revealed a vulnerability in Belkin's popular Wemo Mini Smart Plug, and warn that it could allow for command injection attacks — while the manufacturer says it won't be patching the flaw, leaving its users at risk.

"Part of our work at Sternum includes constant security research of IoT [Internet of Things] vulnerabilities to better understand IoT security gaps, boost the security capabilities of our platform and help device manufacturers improve their security postures," explain researchers Amit Serper and Reuven Yakar. "Our latest discovery [is] a buffer overflow vulnerability in a Wemo Mini Smart Plug V2 (model F7C063) device. We were able to reverse-engineer the device, gain firmware access, and leverage it to discover the security flaw."

Designed for use in home environments, the Wemo Mini is a compact gadget that acts as a relay for mains-connected devices — enabling otherwise-disconnected appliances to be remotely controlled based on a schedule, through a companion app, or via integration into a broader smart home system. To make that happen, they connect to the user's Wi-Fi network — which makes them a potential target for attack.

"In general, this appears to be a pretty popular consumer device, judging by the 17k reviews and the 4-star rating it has on Amazon and other resources," the researchers note. "Based on these numbers, it’s safe to estimate that the total sales on Amazon alone should be in the hundreds of thousands."

Which is something of a problem, as dismantling the device and reverse-engineering its operation revealed a flaw: it's possible to set the "friendly name," used in the companion app to differentiate devices on the network, in such a way as to trigger a buffer overflow and inject malicious commands. "While this wasn’t in the scope of our research," the researchers add, "from what we have gathered, it appears that this vulnerability could be triggered via the Cloud interface (meaning, without a direct connection to the device)."

Sadly for Wemo Mini owners, Belkin will not be fixing the flaw — telling Sternum that the device is official end-of-life and, as a result, no longer receiving firmware updates, even for security vulnerabilities. As a result, the researchers have some advice for those who have Wemo Mini devices deployed and who are not eager to replace them with something still-supported.

"Avoid exposing the Wemo Smart Plug V2 UPNP [Universal Plug and Play] ports to the internet, either directly or via port forwarding," the pair recommend. "[And] if you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented and that device cannot communicate with other sensitive devices on the same subnet."

More information, including a walk through how the vulnerability was discovered, is available on the Sternum blog.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire:
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles