The Wemo Mini Smart Plug V2, which allows users to remotely control anything plugged into it via a mobile app, has a security vulnerability that allows cyberattackers to throw the switch on a variety of bad outcomes. Those include remotely turning electronics on and off, and the potential for moving deeper into an internal network, or hop-scotching to additional devices.
Used by consumers and businesses alike, the Smart Plug plugs into an existing outlet, and connects to an internal Wi-Fi network and to the broader Internet using Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, essentially offering a way to make old-school lamps, fans, and other utility items "smart." The app integrates with Alexa, Google Assistant, and Apple Home Kit, while offering additional features like scheduling for convenience.
The flaw (CVE-2023-27217) is a buffer-overflow vulnerability that affects model F7C063 of the device and allows remote command injection, according to researchers at Sternum who discovered it. Unfortunately, when they tapped the device maker, Belkin, for a fix, they were told that no firmware update would be forthcoming since the device is end-of-life.
"Meanwhile, it's safe to assume that many of these devices are still deployed in the wild," they explained in an analysis on May 16, citing the 17,000 reviews and the four-star rating the Smart Plug has on Amazon. "The total sales on Amazon alone should be in the hundreds of thousands."
Igal Zeifman, vice president of marketing for Sternum, tells Dark Reading that's a low estimate for the attack surface. "That's us being very conservative," he notes. "We had three in our lab alone when the research started. Those are now unplugged."
He adds, "If businesses are using this version of the Wemo Plugin inside their network, they should stop or (at the very least) make sure that the Universal Plug-n-Play (UPNP) ports are not exposed to remote access. If that device plays a critical role or is connected to a critical network or asset, you are not in great shape."
CVE-2023-27217: What's in a Name?
The bug exists in the way the firmware handles the naming of the Smart Plug. While "Wemo mini 6E9" is the default name of the device out of the box, users can rename it as they wish using what's designated in the firmware as the "FriendlyName" variable — changing it to "kitchen outlet" for example or similar.
"This option for user input already had our Spidey senses tingling, especially when we saw that changing the name in the app came with some guardrails, [specifically a 30-character limit]," Sternum researchers noted. "For us, this immediately raised two questions: 'Says who?' and 'What happens if we manage to make it more than 30 characters?'"
When the mobile app didn't allow them to create a name longer than 30 characters, they decided to connect directly to the device via pyWeMo, an open-source Python module for the discovery and control of WeMo devices. They found that circumventing the app allowed them to get around the guardrail, in order to successfully input a longer name.
"The restriction was only enforced by the app itself and not by the firmware code," they noted. "Input validation like this should not be managed just on the 'surface' level."
Observing how the overstuffed 'FriendlyName' variable was handled by the memory structure, the researchers saw that the metadata of the heap was being corrupted by any name longer than 80 characters. Those corrupted values were then being used in subsequent heap operations, thus leading to short crashes. This resulted in a buffer overflow and the ability to control the resulting memory re-allocation, according to the analysis.
"It's a good wake-up call about the risk of using connected devices without any on-device security, which is 99.9% of devices today," Zeifman says.
Watch Out for Easy Exploitation
While Sternum isn't releasing a proof-of-concept exploit or enumerating what a real-world attack flow would look like in practice, Zeifman says the vulnerability isn't difficult to exploit. An attacker would need either network access, or remote Universal Plug-n-Play access if the device is open to the Internet.
"Outside of that, it's a trivial buffer overflow on a device with an executable heap," he explains. "Harder bastions have fallen."
He noted that it's likely that attacks could be carried out via Wemo's cloud infrastructure option as well.
"Wemo products also implement a cloud protocol (basically a STUN tunnel) that was meant to circumvent network address traversal (NAT) and allow the mobile app to operate the outlet through the Internet," Zeifman says. "While we didn't look too deeply into Wemo's cloud protocol, we wouldn't be surprised if this attack could be implemented that way as well."
In the absence of a patch, device users do have some mitigations they can take; for instance, as long as the Smart Plug is not exposed to the Internet, the attacker would have to obtain access to the same network, which makes exploitation more complicated.
Sternum detailed the following common-sense recommendations:
- Avoid exposing the Wemo Smart Plug V2 UPNP ports to the Internet, either directly or via port forwarding.
- If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.
IoT Security Continues to Lag
As far as broader takeaways from the research, the findings showcase the fact that Internet of Things (IoT) vendors are still struggling with security by design — which organizations should take into account when installing any smart device.
"I think this is the key point of this story: This is what happens when devices are shipped without any on-device protection," Zeifman notes. "If you only rely on responsive security patching, as most device manufacturers do today, two things are certain. One, you will always be one step behind the attacker; and two, one day those patches will stop coming."
IoT devices should be equipped with "the same level of endpoint security that we expect other assets to have, our desktops, laptops, servers, etc.," he says. "If your heart monitor is less secure than the gaming laptop, something has gone horribly wrong – and it has."