Tag Archive for: WeMo

Critical security flaw exposes Wemo Smart Plugs to hackers


Wemo Smart Plugs have a flaw


Researchers found a security flaw in an older version of the Wemo Mini Smart Plug that involved changing its name — and Belkin isn’t going to fix it.

The Wemo Mini Smart Plug is designed to offer convenient remote control over lights and basic appliances, such as fan lamps, through a mobile app. The application utilizes Wi-Fi for communication and seamlessly integrates with HomeKit and other smart home ecosystems.

Among other functions, the app lets people change the device name. The length is limited to 30 characters or less, but only the app enforces that rule.

However, through reverse engineering, the security experts at Sternum discovered a method to circumvent the character limit, thereby triggering a buffer overflow. They subsequently named this vulnerability “FriendlyName.”

A buffer overflow happens when there’s too much information put into a storage area (buffer) that it can’t handle. It’s like pouring more water into a cup than it can hold, causing it to overflow.

That can lead to unexpected results in computer systems because the extra information can overwrite or change nearby data. Hackers can use a buffer overflow to gain unauthorized access or cause malfunctions in a computer program.

Accessing the firmware

Accessing the firmware

The researchers from Sternum examined the smart plug’s firmware and used it to change the device’s name to one that was longer than the app’s rule of 30 characters. The resulting overflow allowed them to issue commands to the device and control it.

In the hands of a malicious hacker, that could lead to data theft or possibly controlling other devices plugged into the Wemo device.

The team contacted Belkin to inform the company of the security flaw. However, Belkin said it wouldn’t fix the vulnerability because the Wemo Smart Plug V2 is at the end of its life.

The current Wemo Smart Plug is version 4.

How to protect yourself from “Friendlyname”

Sternum says people who own one of these plugs shouldn’t connect them to the internet. They also shouldn’t be allowed to connect to sensitive devices on a…

Source…

Update your Belkin WeMo devices before they become botnet zombies

Owners of WeMo home automation devices should upgrade them to the latest firmware version, which was released this week to fix a critical vulnerability that could allow hackers to fully compromise them.

The vulnerability was discovered by researchers from security firm Invincea in the Belkin WeMo Switch, a smart plug that allows users to remotely turn their electronics on or off by using their smartphones. They confirmed the same flaw in a WeMo-enabled smart slow cooker from Crock-Pot, and they think it’s probably present in other WeMo products, too.

WeMo devices like the WeMo Switch can be controlled via a smartphone app that communicates with them over a local Wi-Fi network or over the Internet through a cloud service run by Belkin, the creator of the WeMo home automation platform.

To read this article in full or to leave a comment, please click here

Network World Security

Belkin fixes WeMo security holes, updates firmware and app

If you’ve made the decision to try home automation and WeMo, then you might have noticed that Belkin WeMo is like a potato chip; you can’t have just one. If you try it and like it, then the next thing you know, you have all sorts of WeMo devices. If that describes you, then you were probably a pretty unhappy camper after being told that Belkin chose not to respond about the security holes and therefore…
Ms. Smith’s blog

Eavesdropping made easy: Remote spying with WeMo Baby and an iPhone

When it comes to home automation, many people turn to Belkin WeMo because you can plug almost anything into the “smart” electrical switch and then remotely control it from a smartphone.
Ms. Smith’s blog