PSA: time to recycle your old Wemo smart plugs (if you haven’t already)

A Wemo Smart Plug Mini, front view
The Wemo Smart Plug Mini V2’s security flaw will not be fixed. | Photo by Amelia Holowaty Krales / The Verge

Security researchers at Sternum report they’ve found an exploitable vulnerability in the Wemo Smart Plug Mini V2 (via 9to5Mac). The plug debuted in 2019, offering cross-platform compatibility with Apple HomeKit, Google Assistant, and Alexa.

The bug would let a savvy hacker gain remote command of your Wemo plug by circumventing the Wemo app with a community-made Python app called PyWeMo. Once connected, an attacker can change the device name to something with more than 30 characters, resulting in a buffer overflow that allows the attacker to inject commands remotely.

When Sternum disclosed the vulnerability to Belkin, it was told that since the device was at the end of its life, it would not be receiving a fix. Sternum then reported the…

Continue reading…