Andrew Heinzman
Security experts at Sternum identified a critical vulnerability (CVE-2023-27217) in Belkin’s Wemo Smart Plug V2. When exploited, this vulnerability allows hackers to execute remote code—something that may compromise your entire network. But Belkin won’t fix it.
Before we get into the details, I should note that Sternum fulfilled this exploit through a direct connection with a Wemo Smart Plug V2. The security group believes that remote code execution could be enabled through the cloud (from outside of your home), but it has not confirmed this belief.
Anyway, Sternum alerted Belkin to this vulnerability. And it received a ridiculous response; in Belkin’s words, the Wemo Smart Plug V2 “is at the end of its life and will not be patched.”
It’s true that the Wemo Smart Plug V2 is a bit old. After all, Belkin is currently selling a fourth-gen model (which is not affected by this problem). But the product still works, it’s still in many homes, and if customers knew that their Wemo Smart Plug would become a security threat, they probably wouldn’t have bought it in the first place.
Even if you don’t own the second-gen Wemo Smart Plug, Belkin’s short-sighted response is alarming. How will this company deal with security vulnerabilities in its other products? (Unfortunately, this sort of response is growing increasingly common among smart home brands, who like to pretend that smart home devices should have a short shelf life.)
You can identify a Wemo Smart Plug by looking at the back of the device. Sternum suggests that businesses (or other sensitive networks) properly segment their Wemo Smart Plug V2 to keep it isolated from other devices. Home users should avoid exposing their smart plugs through port forwarding (which is good advice for any smart home device, frankly speaking).
