Are you an owner of a smart home? If yes, maybe you’re acquainted with the Belkin Wemo Insight smart plug. It serves to turn your lights and appliances on and off, and it can also monitor them from anywhere.
The plug is also designed to get insight into home energy usage and can be paired with Amazon Alexa and Google Home. So far, so good.
The problem is that the plug has been vulnerable for nearly a year, and a fix has not been introduced yet despite the makers being notified about the security bug. In other words, the Belkin Wemo Insight smart plug still contains the same remote code execution, zero-day vulnerability almost a year after the bug was disclosed. The bug has been given the CVE-2018-6692 number.
Here’s the official description of CVE-2018-6692:
Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet.
This security gap opens the door for attacks against IoT devices as the plug is connected to a home network.
According to on an analysis of recent samples of the [wplinkpreview url=”https://sensorstechforum.com/internet-things-botnet-new-type-malware/”] Bashlite malware conducted by McAfee researchers, there are Metasploit modules that target the Wemo UPnP protocol.
The researchers believe that hackers are targeting a diverse range of IoT devices in an attempt to discover vulnerable ones, and then utilize default credentials to gain access.
More about the RCE Vulnerability in Belkin Wemo
Nearly a year ago, on May 21, 2018, the security researchers contacted Belkin to inform them about the RCE bug in the smart plug. The report not only included detailed analysis of the issue but also presented an on-camera demonstration of how the issue can be exploited.
In addition, the experts said that CVE-2018-6692 could be related to another, older vulnerability within Wemo, which has been patched. Via the action SetSmartDevInfo and corresponding argument SmartDevURL, the 2015 flaw allowed third parties to fingerprint and exploit devices without the user’s permission.
Vulnerabilities such as the CVE-2018-6692 Belkin Wemo bug could allow hackers to take over a range of connected devices, including surveillance cameras. A patch for the vulnerability may be released at the end of this month but the date hasn’t been confirmed. It is curious to mention that Belkin recently patched a different vulnerability in its Mr. Coffee coffee maker with Wemo.
What to do to avoid attacks involving CVE-2018-6692?
As this vulnerability requires network access to exploit the device, the expert recommendation is to implement strong WiFi passwords, and isolate IoT devices from critical devices using VLANs or network segmentation.