Security Issue Detected in Belkin's Wemo Smart Plug Mini V2

As the number of IoT devices continues to grow exponentially, millions of devices around the world remain vulnerable to cyberattacks, and a recently discovered vulnerability in the WeMo Smart Plug Mini V2 will not be fixed, forcing owners to replace them or increase their internal security. Having worked in the field of IoT security for several years, I've seen firsthand how vulnerabilities like this can impact consumers. What challenges does the growing IoT market introduce to consumers with regard to security, why is the new vulnerability not being fixed, and what can engineers do to try and help consumers in the future?

Why does the IoT market present a serious security risk to consumers?

There is no doubt that the IoT market has massively grown over the past ten years, and unlike other emerging markets that commonly go through a bubble and burst, the IoT industry actually provides very real and tangible benefits. 

The ability to deploy sensors en-masse helps spaces to become smart when combined with AI and ML models, and this can be used for improving energy efficiency, environmental conditions, and even combatting climate change. Devices deployed in homes can help to introduce automation in daily activities, make intelligent decisions, and also help those with accessibility issues. In fact, it seems that whatever IoT technologies touch, it provides technological advancement. However, for all the advantages that IoT devices bring, there is a growing issue that continues to get worse with each passing day, and this issue is security. 

Fundamentally, the low-cost nature of IoT devices, combined with their ability to access networks and widespread deployment, makes them an ideal target for cybercriminals. IoT devices that have access to personal data, such as microphone recordings and images, can be used to spy on unsuspecting individuals. This can, in turn, be used to reveal passwords, secretes, embarrassing conversations, and even revealing images that could be used for exploitation. 

Another use for hacked IoT devices is to use them as vectors in large-scale cyberattacks. A single IoT device on its own is unable to do much, but having one thousand devices, all pinging a single IP address (such as a server), can quickly overload the system, causing a denial of service to those wanting to legitimately use the IP resource. If one device can be hacked, there is a high chance that the same attack will work on other identical devices, and considering that there can be millions of identical devices, the reward for a successful hack can be tremendous. For instance, in 2016, the Mirai botnet, composed largely of IoT devices like cameras and routers, was used to launch a massive Distributed Denial of Service (DDoS) attack on the DNS provider Dyn, causing major internet platforms and services to be unavailable for users in Europe and North America (Kolias et al., 2017). 

However, by far, the biggest challenge with security in IoT devices is that the rate at which new devices are being developed often sees many outdated devices remaining in service, and many manufacturers will often drop support for these devices. This means that many consumers will purchase IoT devices, thinking they will get a good decade of use from them, only to find out that the manufacturer stops providing updates after two to three years. Thus, security flaws that are eventually found will not be addressed, leaving anyone with that device vulnerable. 

Researchers discover a vulnerability in WeMo Smart Plug, but will not receive updates

In what can only be described as un-shocking and expected, researchers from Sternum recently discovered a vulnerability in the WeMo Smart Plug Mini V2 that allows a hacker to gain remote control of the plug, thus allowing for power to be connected and disconnected at will (Sternum, 2023).  The bug takes advantage of a custom-made Python script that can connect to the plug without the need for using the WeMo app. However, once connected, the device name is changed to something with more than 30 characters, which results in a buffer overflow event. This then allows a hacker to remotely inject code into memory and then have the device execute this code. To delve deeper into the technicalities, the Python script exploits a flaw in the device's firmware, where the device name parameter isn't properly sanitized. This allows for a buffer overflow event, which is essentially when more data is written to a buffer than it can handle, causing it to overflow and overwrite adjacent memory locations. In this case, the overflow allows a hacker to inject malicious code into the device's memory, effectively giving them control over the device. 

In simpler terms, a buffer overflow is a situation where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. This is a security risk as it can cause a system crash or create an entry point for a cyber attack. In this case, the hacker tricks the device into running malicious software, giving them control over the device and potentially access to the network it's connected to.

Under normal circumstances, the discovery of such a bug will see software teams develop a solution (in this case, a simple boundary check for buffered data would suffice), but unsurprisingly, WeMo has decided to provide no updates as the product is now “end of life”. As such, any customer using the WeMo Smart Plug Mini V2 needs to take immediate action to protect themselves and their devices from potential cyberattacks. 

One option is for users to simply throw the device away, replacing it with a more up-to-date version, but this is both expensive and wasteful. Another option is to deploy network segregation, whereby the WeMo device operates on its own isolated network, and closing off UDP ports to the device from outside connections can help to prevent unauthorised access.

What can engineers do to help consumers in the future?

While the company responsible for the WeMo Smart Plug Mini V2 may be legally in the right, it is entirely immoral for devices to be discontinued after only a few years of deployment and provide no additional support to consumers. However, there are numerous methods that engineers can deploy to help mitigate such practices in the future. For consumers, there are also steps that can be taken to protect their IoT devices. Regularly updating the device's software can help to patch any security vulnerabilities. Using strong, unique passwords and enabling two-factor authentication, if available, can also enhance the security of IoT devices. Furthermore, consumers should be cautious about the information they share with their devices and consider the privacy implications of using IoT devices. For example, devices with microphones or cameras could potentially be used to spy on users if they are compromised. Therefore, it's important to consider these risks and take appropriate precautions when using IoT devices. 

One such option is to move towards open-source hardware, whereby ageing equipment can be disassembled by customers, reprogrammed, and retrofitted with any additional systems needed to keep that hardware relevant. This also gives the community the option to continue providing security updates, which is commonly done with many open-source projects such as Linux. Devices can remain closed-source during the few years that a manufacturer supports them, but once this time period has expired, making the project open significantly helps consumers. For more information on open-source hardware and its potential benefits for IoT security, readers can refer to the Open Source Hardware Association's website (https://www.oshwa.org/). 

Another option is to move devices away from traditional monolithic coding schemes and start to deploy more complex operating systems that can accept dynamic software updates. At the same time, modularising software services and using common libraries can help manufacturers offer extended support for devices, as new engineers being trained can more easily provide updates and fixes (i.e., there is less need to have engineers who worked on the system originally).

Overall, engineers need to start thinking about the long-term effects of their designs and how they can provide consumers with the best support, especially for devices in the IoT sector. Bad security practices are dangerous enough, but not providing long-term support only hurts consumers when it comes to the deployment of IoT systems and may even persuade future consumers not to integrate IoT solutions into their environments. The implications of these security issues extend beyond individual consumers. As IoT devices become increasingly integrated into critical infrastructure, from power grids to healthcare systems, ensuring their security is of paramount importance. If left unaddressed, these vulnerabilities could potentially be exploited to cause widespread disruption and harm.