02-15-2019 10:33 PM - edited 02-19-2019 09:21 PM
My v3 Wemo Mini Smart Plug device is demonstrating this problem, advertising the setup wifi network even after being connected to my home wifi and otherwise operating normally.
It is definitely not the case that the setup network is "inactive", or in any other way made safe, as asserted by Wemo support. When connected to the setup network, the plug offers a handful of open network ports that lead to services, which from my reading, appear to be used for the plug's primary upnp API.
Nmap scan report for 10.22.22.1 Host is up (0.0034s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: REFUSED) 49153/tcp open upnp Belkin Wemo upnpd (UPnP 1.0) 49155/tcp open upnp Portable SDK for UPnP devices 1.8.0 (Linux 3.18.27; UPnP 1.0) 49156/tcp open upnp Portable SDK for UPnP devices 1.8.0 (Linux 3.18.27; UPnP 1.0) 50349/tcp open unknown ........ ........ MAC Address: 24:F5:A2:FF:XX:XX (Belkin International) Service Info: OS: Linux; Device: power-misc; CPE: cpe:/o:linux:linux_kernel:3.18.27
This is most definitely an attack surface, accessible via an open wifi network. The fact that the device is also set up to speak to the user's secured home wifi network means that an attacker's possible spoils include access to that users home network.
It should be pretty clear that this is a security incident, and should be handled as one. I certainly wouldn't leave my device plugged in until this is resolved.
EDIT: MORE FUN
These APIs are completely unsecured. Using some commandline tools that someone else wrote to talk to the Wemo, I'm able to turn my switch on and off from the unsecured setup network.
02-19-2019 04:41 PM - edited 02-19-2019 04:50 PM
Unbelievable. We're all fools for letting Belkin tell us everything is ok when they are clearly incompetent when it comes to security. I have verified zodo123's assertions myself, and they are all true. The unsecure network that the version 3 minis leave open grants full control of the device when connected to!!!.
Anyone can try this themselves. All you need to do is install the command line tools available here, https://github.com/agilemation/Belkin-WeMo-Command-Line-Tools and then connect to the mini's wifi network. A simple command line entry of "wemo -h 10.22.22.1 --action ON" will turn the device on and a simple "wemo -h 10.22.22.1 --action OFF" will turn it off. God knows what else is possible.
THIS ISN'T A SECURITY FLAW. THIS IS THE COMPLETE ABSENSE OF SECURITY!!!
02-22-2019 09:21 AM - edited 02-22-2019 09:37 AM
I can verify this exploit works without any problem whatsoever. I connected to the open setup wireless access point and ran the on and off action commands using the wemo command line tool.
This is completely unacceptable.
A tech savvy jerk from my neighborhood could play around with that outlet all day and potentially damage the device that is connected to it.
And who's to say that with a bit of poking around those open ports cannot be exploited to jump over to my home's secured network? The open setup network is fully responsive to commands. A service is sitting behind it that is taking input from anyone.
I should have known better and return the devices on day one. Just the initial setup of four of those plugs was a complete circlejump nightmare that took me several hours to complete.
02-22-2019 06:07 PM
I spoke with Belkin's techincal support today and they have told me that this issue is new to them for our version of hardware. They had a similar issue, where the setup network stayed active after setup, with the previous version of hardware last year and fixed it with a firmware update. For our version, which still has the issue, there is no current solution. The support person referred my case to their engineers who will contact me on Monday.
For now the only full proof solution to protect yourself is to unplug your devices.
For anyone else submitting a request to belkin the key identifier that the technical support person cared about in identifying the device is the last portion of the firmware name. The "V2" at the end of the firmware name is what really identifiies the hardware. I don't know what the "Hardware version" section of the app is for, but they don't seem to care what that says.
If you submit a support request the person who handles the email may not understand the distinction in hardware versions and recommend a firmware update. (for the firmware that fixed the issue last year with the prevous hardware). This is them being confused about which firmware is available for which hardware. Just let them know that you tried the firmare update procedure and that no update is available.
For reference my firmare is:
02-26-2019 08:29 AM
Of course issues can pop up with any product. It's a little more urgent when it happens with something like this, that can affect your home security for example, but its still understandable. What is inconceivable is that a company would tell everyone that there is no cause to be alarmed, and that there is no security risk, when its clear that that they can't even identify the precise problem that is causing the issue.
And what happens? A couple of weeks later its revealed that a large security hole exists and is readily exploitable by any script-kiddie on the block. I'm having trouble deciding what's worse, the security hole or Belkin's response to the situation.
This is the first product I bought from Belkin, and it is also certainly the last.
02-26-2019 04:15 PM
Oh, I know the answer! Belkin's response is much worse than the security exposure! .
This should have been opened as a severity 1 priority 1 defect as soon as it was discovered and all owners warned to unplug the wemos immediately until a firmware fix was issued. The fix should have been made available within 24hrs (as fitting a sev 1 pri 1 defect). No developer should have left the office until this was resolved.
Instead we haven't seen a proper comment from belkin since Reynaldo said "We understand your security concern. However, it doesn't pose any danger to your wireless network or Wemo. Once the setup is completed, the Wemo changes from setup mode to operation mode. Know that we are already looking for a fixed but there is no lead time yet. Just keep your Wemo devices up-to-date. Loopback for further assistance."
The ONE advantage of belkin over the cheaper but horribly risky China manufactured cloud only IoT devices is the vain hope that belkin would take better care of our cloud data and security.
02-27-2019 12:48 PM
Hi there! Allow us to have the case forwarded to our 2nd Level Support team for isolation and a further diagnosis on this. Please send us an email at WemoCares@belkin.com with the following details:
Link to this community thread.
WEMO Technical Support
02-28-2019 07:50 AM
02-28-2019 09:56 AM