Security researchers at Sternum have found a new vulnerability exploitable in Belkin’s Wemo Smart Plug Mini V2. The security flaw potentially allows for remote command of the smart plug, along with the ability to inject malicious code.
The folks over at Sternum refer to the exploit as the ‘FriendlyName’ Buffer Overflow Vulnerability. The technical jargon is pretty in-depth, but you can find the exploit details directly on the IoT security company’s website.
When Sternum reached out to Belkin, they were told that “the device is at the end of its life and will not be patched.”
Considering there are currently no plans to patch the smart plug, Sternum has a couple of suggestions worth taking seriously:
- Avoid exposing the Wemo Smart Plug V2 UPNP ports to the internet, either directly or via port forwarding.
- If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and the device cannot communicate with other sensitive devices on the same subnet.
While the “V2” model subject to the exploit is no longer supported by Belkin, it would still be an appreciated gesture of goodwill for the company to issue a patch.
It’s unfortunate to see a potentially serious vulnerability remain exploitable.
Image credit: Amazon