WEMO Hardware

Showing results for 
Search instead for 
Do you mean 
Reply
Posts: 273
Registered: ‎03-08-2017

CVE-2018-6692

First: I do appreciate Belkin being forthcoming about this vulnerability insofar as notifying this forum. HOWEVER: the vulnerability was disclosed to Belkin in May, and won’t be patched until the end of September.

Given the known remote access issues where any user can control any other user’s WeMos remotely by spoofing the MAC address, how is this not being tracked more aggressively? The acknowledgement on this forum seems to have been posted in attempt to head off bad PR, but there would have not been a need to do so if the white hat report had resulted in a fix. Instead Belkin sat on their rear ends yet again for so long that the disclosing group felt ethically obligated to go public.

How long until someone’s unpatched Crockpot or hacked plug burns down a house? How many people will die before Belkin pays any attention to this product?
Posts: 7
Registered: ‎01-07-2018

Re: CVE-2018-6692

Where did they say it would be fixed in September?
WEMO Maker Inventor
Posts: 1,649
Registered: ‎06-14-2014

Re: CVE-2018-6692

From what I understand an attacker does need access to your home network to exploit the fault, if that's the case it sure seems like I'd have bigger problems than burnt stew Smiley Happy.

 

Seriously, to me the safest thing to do is to deny the wemos access to the internet at best, at worst put them in a private subnet with no access to your main network.  With belkin's known cloud vulnerabilities I worry most about an attacker coming in from there directly rather than exploiting the device locally.

 

It's also a very strong case for DISABLING upnp on your router.  It's a horrible feature (IMHO!) that allows anything running inside your network to reconfigure your router to open your network and let in all sorts of terrible things.  It's mostly used at the router for peer to peer stuff - most of us don't need it.   Disabling upnp on the router will not affect the wemos, dlna or other similar apps that only use it for local discovery, in fact in some cases they run better when the router ignores upnp.