Mac iconbuilder plugin6/19/2023 We reached out to Belkin (the device manufacturer) with our findings.Leveraging these findings, we were able to demonstrate how the vulnerability can be used for command injection.Through experimentation, we learned that we could obtain a measure of control and predictability over how the overflow occurred.Through a process of reverse engineering, we saw that circumventing the character limit resulted in a buffer overflow.The name length is limited to 30 characters or less but the rule is only enforced by the app itself (not enforced by firmware).Wemo Mini Smart Plug V2 is managed by a mobile application, that allows its user to change the device name (a.k.a.Wemo Mini Smart Plug V2 flawĪfter talking with Belkin, Sternum shared the full background and details on the flaw today. ![]() The tough part is there are likely hundreds of thousands of the V2 version out in the wild (note: Version 4 is the latest model Belkin is selling which does not suffer from the flaw). ![]() Sternum found the flaw specifically with the Belkin Wemo Mini Smart Plug V2 which works with HomeKit, Google Assistant, and Amazon Alexa.Īfter reaching out to Belkin about the security issue, Sternum was told that “the device is at the end of its life and will not be patched.” Read on for the details about how the Wemo Mini Smart Plug V2 flaw can be exploited for remote command execution and why Belkin has decided not to patch it. ![]() IoT security company Sternum has discovered a vulnerability in one of Belkin’s smart home devices.
0 Comments
Leave a Reply. |