A second-generation version of Belkin’s Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by threat actors to inject arbitrary commands remotely.
The thing is, assigning identifiers CVE-2023-27217discovered and reported to Belkin on January 9, 2023, by an Israeli IoT security company Sternumwho reengineered the device and gained access to the firmware.
Wemo Mini Smart Plug V2 (F7C063) offers a convenient remote control, allowing users to turn electronic devices on or off using a companion app installed on a smartphone or tablet.
The crux of the problem lies in the feature that allows renaming the smart plug to be more “Friendly Name.” The default name given is “Wemo mini 6E9.”
“Name length is limited to 30 characters or less, but this rule is only enforced by the app itself,” security researchers Amit Serper and Reuven Yakar said in a report shared with The Hacker News, added validation is not enforced by the firmware code.
As a result, circumventing the character limit by using the named Python module pyWeMo can cause a buffer overflow condition, which can then be reliably exploited to crash the device or, alternatively, trick code into executing malicious commands and taking control.
Belkin, in response to the findings, said that it has no plans to address the shortcoming due to the fact that the device is reaching end of life (EoL) and has been replaced by a newer model.
“It appears that this vulnerability could be triggered via the Cloud interface (that is, without a direct connection to the device),” the researchers cautioned.
If there is no fix, Wemo Mini Smart Plug V2 users are advised not to expose them directly to the internet and ensure that appropriate segmentation measures are applied if they have been implemented in sensitive networks.
“This is what happens when a device is shipped without protection on the device. If you rely solely on responsive security patches, as most device manufacturers do today, two things are certain: you will always be one step behind an attacker, and one day the patch will will stop coming,” said Igal Zeifman, vice president of marketing for Sternum.