Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Wemo Won't Fix Smart Plug Vulnerability Allowing Remote Operation (arstechnica.com) 56

An anonymous reader shares a report: IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemo's own apps -- with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

The other key takeaway is that Wemo-maker Belkin told Sternum that it would not be patching this flaw because the Mini Smart Plug V2 is "at the end of its life and, as a result, the vulnerability will not be addressed." We've reached out to Belkin to ask if it has comments or updates. Sternum states that it notified Belkin on January 9, received a response on February 22, and disclosed the vulnerability on March 14.

This discussion has been archived. No new comments can be posted.

Wemo Won't Fix Smart Plug Vulnerability Allowing Remote Operation

Comments Filter:
  • Any decent open source alternatives out there?
  • I wrote a program to monitor energy usage on TP Link Kasa smart plugs. It ran for a while and then the smart plugs would lock up, and even the physical buttons on the plugs wouldnâ(TM)t change their state.

    I didnâ(TM)t investigate if I might be able to gain access to the devices, but Iâ(TM)m assuming TP-Link doesnâ(TM)t care about updating the devices since their app hasnâ(TM)t offered me updates.

    https://github.com/wcbonner/Ka... [github.com]

    • by pahles ( 701275 )
      And what does this have to do with the Wemo Mini Smart Plug?
      • It's similarly buggy cheap junk. It illustrates the bigger problem. But really, Belkin is among the worst of the worst and TP-Link is one of the "better" ones.

  • EOL, really??? (Score:5, Insightful)

    by MNNorske ( 2651341 ) on Wednesday May 17, 2023 @09:23AM (#63528599)
    Sure they may not sell them anymore but the average consumer is going to keep these things as long as they keep working. And, since most of the time smart plugs just get set up once, a schedule added, and then are left in place they're going to keep working in most homes for years. So Belkin just admitted they are going to leave a known security vulnerability running in peoples homes forever. Sorry Belkin but people are not going to replace a plug that costs > $20 a pop just because you say its end of life, instead someone is going to phone up a lawyer and initiate a class action lawsuit which is going to cost you more than patching the code and initiating an update.
    • Truth in Labeling (Score:5, Insightful)

      by bill_mcgonigle ( 4333 ) * on Wednesday May 17, 2023 @09:34AM (#63528653) Homepage Journal

      We really should require manufacturers to put a sticker on their box that you see at the store that says "This plug will stop receiving updates on July 1 2027". Then maybe I'd buy the one for $2 more that said 2035. And perhaps the states that charge recycling fees up front should factor in the product lifecycle.

      I have light switches that are 40 years old and they're fine. Most people assume light switches are good to go for a very long time and if that's not true it should be properly labeled.

      And, yeah, my IoT devices are generally forbidden to talk to the Internet. The python-kasa project is very useful, for instance:

      https://github.com/python-kasa... [github.com]

      but normies can't handle that nor would they know that a conspiracy of obsolescence and vulnerability is the industry standard.

      • by TWX ( 665546 ) on Wednesday May 17, 2023 @09:42AM (#63528691)

        What we should really do is require manufacturers to actually support the software on the little blackboxes that they sell, or require them to open-source it and include a mechanism for update. I don't expect new features. I do expect vulnerabilities to be addressed.

        I've been a computer-enthusiast for something like 35 years and an IT professional for 25. I don't do IoT. This is why.

        • What we should really do is require manufacturers to actually support the software on the little blackboxes that they sell, or require them to open-source it and include a mechanism for update. I don't expect new features. I do expect vulnerabilities to be addressed.

          Yep. Make the retailer responsible for refunding your purchase if the support vanishes, if it is not OSS from day 1. You would quickly see the proprietary options vanish from shelves.

        • by DarkOx ( 621550 )

          In practice this just doesn't work through.

          Its hard enough to update stuff that was never even closed. Half the time you are going to need some build environment you haven't got based on a decades old release of GCC.

          Even if you forced companies to make all the sources to the uboot/Linux/ulibc/busybox/lighthttpd/application code - that comprises their firmware available it would still be hours of standing up some VM with the right versions of gcc/make/m4/yacc/autoconf/bison/nasm/etc configured as cross chai

          • It's pretty easy for the vendor to comply with all that stuff though, even if you go full anti-tivoization. They just buy it from someone else, make their customizations (or have them made under contract) and have their logo stuck on it. And whoever they buy it from makes that software available to everybody. You can't meaningfully force companies to support things, then you get into the business of having to evaluate their support.

            Not to mention, these days it's not very hard to build that decades-old cros

            • by DarkOx ( 621550 )

              You can't meaningfully force companies to support things, then you get into the business of having to evaluate their support.

              Which organizations like UL and consumer reports do all the time. Not really a problem.

              You stuff an appropriately old host OS into a virtual machine, and it solves your compatibility problems. Back before we all had an embarrassment of computing resources to burn on virtual machines and whatnot, that was a real concern. Today it's a non-problem.

              Right and the community will do exactly that for a big enough product. Things like devkitt PPC etc for the Wii and GameCube exist. I realize that.

              I don't see a lot of first party vendors being willing to package up their tool chain that way. Especially not to distribute as a VM under any kind of FOSS license. Unless they they very confident about their own right to distribute/redistribute everything including that sui

      • If they had to put it on the box, product servicing lifespans would double overnight. It's a competitive advantage to be able to hide that information until post sale. If they lose that advantage, they have to improve to stay in the market.

      • by Burdell ( 228580 )

        I had a 40-year-old light switch that runs my sink garbage disposal unit break... it wouldn't turn off! Had to go turn off the breaker (which was thankfully labeled correctly). Replaced that switch IMMEDIATELY!

        • by namgge ( 777284 )
          Shouldn't use light switches to control motors. Could well be why it failed so quickly.
          • It's a very common setup. Most disposals (in the US) wire to a NEMA 5-15P plug so you can only plug it into an outlet. The only way to turn it on/off is to wire your own switch. It seems like there probably are momentary-style pushbuttons that would work way better but in practice I've never seen one.

            But I don't really see there being enough amperage to damage a switch that is probably rated for 15 amps.

          • I had a 40-year-old light switch

            Shouldn't use light switches to control motors. Could well be why it failed so quickly.

            A light switch failing after 40 years is "quickly"? How long do switches normally last? This site [howtolookatahouse.com] says "You can expect a wall switch to last about 30 to 40 years, with an average of 35 years" so it seems like the GP got around the standard life out of the switch.

      • If there's an end of support date after which there will be no more updates, it should be required by law to brick itself on that date.

        "This plug will stop receiving updates on July 1 2027 AFTER WHICH IT WILL STOP WORKING FOREVER".

      • Making them put an EOUL on the box will cause them to lie on the box. That's all.

        • Making them put an EOUL on the box will cause them to lie on the box. That's all.

          And to complete the picture...include a shrink-wrap End User license. Once you break the shrink-wrap you have accepted the license...might not apply in the EU.

      • Then maybe I'd buy the one for $2 more that said 2035

        Would you buy one for $20 more? Because in reality what will happen is manufacturers won't compete on this, but rather offer it as a premium priced well above their standard 2 year offering.

    • Best I can tell is they only stopped selling them 3 years ago and there is new old stock still on shelves today. So that's a 3 year window on a product that's marketed as a home improvement upgrade.

      Meanwhile, the Nest thermostat was overdesigned and I have one that's about 10 years old that still hasn't had its battery replaced. They actually designed it with a battery twice the size as required and don't charge it to 100% so it lasts twice as long. It does cause havoc with older relays if you don't have

    • Belkin has been getting worse over the years. They used to be a pretty great source of high quality cables and miscellaneous laptop accessories, but even those have been slipping (and for a long time now) so now their name is worth basically nothing. I gave up on them more or less completely when every Belkin WAP I looked up (on my cellphone, while standing at a yard sale or what have you) wouldn't run openwrt, a sure sign of the shit shoveler.

      OTOH anyone who buys any non-OSS IoT hardware is obviously cluel

    • And that tells you all you need to know about Belkin.

      Don't buy anything from Belkin. They don't care at all about your security or safety, or even their corporate reputation.

    • by flippy ( 62353 )
      I'm absolutely going to replace the one Wemo that I still have, just not in the way Belkin expected. I'll be replacing it with a plug from a different manufacturer. Won't ever consider Belkin again if this is the kind of decision they make. Most likely the new one will be from Eve. Yes, the Eve Energy is $40 as opposed to Belkin's $20, but the energy usage data alone is worth the extra $20, not to mention a better, more well-supported product. 'Bye, Belkin!
    • Sure they may not sell them anymore but the average consumer is going to keep these things as long as they keep working. And, since most of the time smart plugs just get set up once, a schedule added, and then are left in place they're going to keep working in most homes for years.

      Yea, it’s a fucking plug, not a complex device that the OS will get to bloated for at some point. Weemo may simply hope people hear “OMG HACKERZ cAN STEAL MY BANK ACCOUNT” and buy new ones.

    • instead someone is going to phone up a lawyer and initiate a class action lawsuit which is going to cost you more than patching the code and initiating an update

      Honestly... I doubt it. People don't seem to give a **** about security of some home smart switches. People can barely get sue happy over video cameras broadcasting their private lives on the internet.

  • somehow I feel the public regulator should slam on their head.
    as for me, belkin shit is now in my ban-list

    • must be nice to live in the EU

      • Look, you chose to leave the EU, now you stay out until you drive on the right side of the road, use the metric system and pay in euros.
        • Re: (Score:2, Funny)

          by Tablizer ( 95088 )

          > use the metric system and pay in euros.

          I'm not taking another inch of this crap!

  • I did software QA a couple of decades ago. For some reason the company I worked for decided to develop its own implementations of some communications protocols instead of using the relicensable BSD versions. The programmers that wrote the in-house implementations followed exact current RFC only, and worse, didn't include anything to account for anything that wasn't intended coming in.

    I was able to crash their daemons by simply sending legitimate but deprecated commands from prior revs of these protocols,

    • by HiThere ( 15173 )

      Programmers MUST test their own code, but that's not sufficient. Necessary and sufficient are two separate constraints.

      OTOH, most companies don't seem to want to pay for decent Q/C.

      • by TWX ( 665546 )

        I suppose I should clarify.

        Programmers test their own code to make it function.

        Quality Assurance tests programmers code to make it dysfunction, or to see how it behaves under plausible, then merely realistic, then implausible but possible, then borderline/edge-case scenarios.

        • by HiThere ( 15173 )

          It's more than that. The programmer knows the paths that need to be run for the necessary data to be extracted. Q/C checks for a different kind of problem, and one that the programmers have repeatedly proven extremely bad at checking for. The particular problem you were discussing is a Q/C problem, but only the programmer knows which pieces of data the program needs to find, so that needs to be checked for by the programmer. (For example, there are some purposes where processing a web page doesn't even

    • Had a college friend, Engineer of the Year at my school, who implemented an XNS protocol stack at the first company we worked for. Worked perfect talking to itself, but failed miserably at the first interop event. Turns out the guy got the C bitfield assignment order backwards! That's why I always and/or/xor bits myself instead of using bitfields; it's more explicit. (C standard allows compiler to put bit-fields in any order. There is no reliable and portable way to determine the order. That makes use of bi
  • The type of consumers who buy Belkin products, care little about security. They walk into your average technology retailer and buy on impulse, going with the most appealing packaging/display. Belkin know their customer base and their desire for cheap, consumer grade, crap gadgets.

    • I object to that assertion, I cared about security, and the reviews I saw at the time, and the fact that Belkin had router products instead of being no name brand or brands that hadn't done anything online (as well as price) motivated me to go with them.

      Been happily using four for years but nothing more critical than timing phone chargers, aquarium lights, air purifier and humidifier/fan.

      Discontinued software should be required to be open sourced IMO.

      • I object to that assertion, I cared about security, and the reviews I saw at the time, and the fact that Belkin had router products instead of being no name brand or brands that hadn't done anything online (as well as price) motivated me to go with them.

        You say you care about security, but then you say you assumed Belkin had good security because they make routers. But their routers are shit. Your entire security review amounted to "Hey Me, what do I think of this?" "Well, Me, Belkin seems like a reputable brand that makes high tech stuff". That's exactly the thought process everyone else buying Belkin is using!

        Discontinued software should be required to be open sourced IMO.

        Agreed, and you could have checked Belkin's OSS code center [belkin.com] to find out if that device was OSS before you bought it.

        Anyway, Belkin has a very bad r [theregister.com]

  • by jenningsthecat ( 1525947 ) on Wednesday May 17, 2023 @10:06AM (#63528801)

    Especially since there's a potentially serious security vulnerability here, Wemo / Belkin should be forced to either fix the problem regardless of EOL status, or publicly release under an Open Source license ALL of the schematics, code, and other information necessary to fix existing devices and even manufacture new ones.

    Failure to do this constitutes yet another bend-over-and-take-it response to corporations externalizing costs and thereby damaging society.

  • If you actually read the article, you'd see that they weren't able to get control with ASLR turned on, which is it by default.

    This is another bullshit article by a security firm trying to get business.

  • Just fucking stop connecting everything to the internet. Stop it. Like really. Light switches? Are you fucking fucked? Potted plant environment sensors? I can't even deal with the horrible stupidity of placing your entire existence on the internet. These people who adopt this shit always want to cry about privacy while simultaneously handing their privacy away.

Murphy's Law, that brash proletarian restatement of Godel's Theorem. -- Thomas Pynchon, "Gravity's Rainbow"

Working...