sb-au logo
Story image

Belkin WeMo Insight smart plugs vulnerable to attack

29 Apr 2019

Cybersecurity firm McAfee is suggesting that the Belkin WeMo Insight smart plug could be vulnerable to malware attacks – and Belkin has taken a very long time to fix the problem.

Earlier this month, McAfee head of advanced threat research Steve Povolny came out swinging against Belkin. He claims that in May 2018 his team warned Belkin of a vulnerability (CVE-2019-6692) that could be exploited by an attacker to turn off the switch, overload it, or connect to the switch’s network to become an entry point to a larger attack.

Despite Belkin’s acknowledgement of the vulnerability, it seems the company never did anything about it. Instead, they apparently patched a vulnerability in an entirely different product that doesn’t appear to be on the market anymore.

Three months later McAfee publicly disclosed the vulnerability to raise awareness that there is a definite security issue with the WeMo Insight smart plug. Still, Belkin did nothing about it, according to Povolny.

“As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm,” he writes in a blog – but there doesn’t seem to be any hard evidence or a release date yet.

So it has taken almost a year for Belkin to do something about it – all that time, the vulnerability has remained exploitable. Povolny also suspects that malware creators are exploiting the WeMo Insight vulnerability into IoT malware, because the devices are unpatched. The Bashlite malware is one such piece of malware that is already compromising IoT devices.

“As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation,” Povolny writes.

He also points out that IoT devices are prime targets for security issues, and companies like Belkin should be quick off the mark to fix issues, especially when attackers keep track of vulnerabilities that they can weaponise.

He adds that consumers should also apply basic security measures like keeping on top of product updates, using strong passwords, and keeping critical devices away from the IoT.

What’s more, those who use their work devices on home networks should also be concerned.

“Just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised.  Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops.  This is a common method for cyber criminals to cross the boundary between home and enterprise. “

Story image
PMT Security launches body-temp scanning solution for enterprise, Seadan to distribute
"It was a no-brainer for us to choose our trusted partners Seadan. We engaged and took advice from them during the decision-making process to find the best UNV product to bring to market."More
Story image
Marriott International reports breach affecting 5.2 million customers
Marriott said in statement that an ‘unexpected’ amount of guest information may have been accessed in mid-January this year, using the login credentials of two employees at one of the company’s franchise properties.More
Story image
Interview: Aura GM on security implications for enterprise during and post-pandemic
Techday spoke with Aura Information Security general manager Peter Bailey on what this new normal means for cybersecurity, and its potential lasting effect on organisations.More
Link image
The who, what, and why of multifactor authentication
Frost & Sullivan examines the considerations an organisation must take into account when formulating its authentication strategy. More
Story image
Opportunity knocks for robotics in world of COVID-19
ABI Research highlights that while manufacturing opportunities are down, the worlds of disinfecting, surveillance and delivery are opening.More
Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More