• chevron_right

      Wemo won’t fix Smart Plug vulnerability allowing remote operation

      news.movim.eu / ArsTechnica · Tuesday, 16 May, 2023 - 20:35 · 1 minute

    Wemo Smart Plug V2

    Enlarge / This guy? This guy can be tricked into offering remote control if you give it a long name. But he's too old for his maker to care much about that.

    I once co-owned a coworking space. The space had doors with magnetic locks, unlocked by a powered relay. My partners and I realized that, if we could switch power to the system on and off, we could remotely control the door lock. One of us had a first-generation Wemo plug, so we hooked that up, and then the programmer among us set up a script that, passing Python commands over the local network, switched the door lock open and closed.

    Sometimes it would occur to me that it was kind of weird that, without authentication, you could just shout Python commands at a Wemo and it would toggle. I'm having the same feeling today about a device that's one generation newer and yet also possesses fatal flaws.

    IoT security research firm Sternum has discovered ( and disclosed ) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2 . The firm's blog post is full of interesting details about how this device works (and doesn't), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit—a limit enforced solely by Wemo's own apps—with third-party tools. Inside that overflow you could inject operable code. If your Wemo is connected to the wider Internet, it could be compromised remotely.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      Wemo’s confused Smart Dimmer shows how hard standardizing IoT may be

      news.movim.eu / ArsTechnica · Thursday, 4 August, 2022 - 17:13

    Wemo’s confused Smart Dimmer shows how hard standardizing IoT may be

    Enlarge (credit: Wemo )

    When the smart home compatibility standard Matter finally arrives , it promises to simplify and improve the connections and compatibility between different device brands, using Thread as its secure, low-energy backbone.

    Until then, let devices like Wemo's new Smart Dimmer with Thread serve as a warning: Matter runs on Thread, but not all Thread devices will give you a Matter experience. Belkin's new dimmer is a prime example of a device "with Thread" that is far from universally accessible—and likely confusing to buyers.

    Wemo's new dimmer doesn't require the onerous Wi-Fi setup you might remember from switches of old, instead connecting to your smartphone by Bluetooth or an NFC tap. To use it outside of Bluetooth range, you'll need a Thread network in your home. But here's where it gets tricky: This smart dimmer is controlled exclusively through HomeKit, so you'll specifically need a HomePod Mini or second-generation Apple TV 4K within a reasonable range of the switch. Those more robust devices can act as "border routers" in a Thread network, allowing more single-purpose devices like a dimmer to connect to a Thread mesh and access the Internet.

    Read 4 remaining paragraphs | Comments