Wemo won’t fix Smart Plug vulnerability allowing remote operation

Wemo Smart Plug V2

Enlarge / This guy? This guy can be tricked into offering remote control if you give it a long name. But he's too old for his maker to care much about that.

I once co-owned a coworking space. The space had doors with magnetic locks, unlocked by a powered relay. My partners and I realized that, if we could switch power to the system on and off, we could remotely control the door lock. One of us had a first-generation Wemo plug, so we hooked that up, and then the programmer among us set up a script that, passing Python commands over the local network, switched the door lock open and closed.

Sometimes it would occur to me that it was kind of weird that, without authentication, you could just shout Python commands at a Wemo and it would toggle. I'm having the same feeling today about a device that's one generation newer and yet also possesses fatal flaws.

IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit—a limit enforced solely by Wemo's own apps—with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

Read 7 remaining paragraphs | Comments



https://ift.tt/vP2RG3z

Comments