Belkin Wemo Insight Smart Plug Vulnerability Remains Exploitable

Belkin Wemo Insight Smart Plug Vulnerability Remains Exploitable

If you own a smart home, then you may probably be aware of Belkin Wemo Insight smart plug. Yes, it helps you to turn off your lights and appliances, and you can also monitor them from anywhere.

We are trying to highlight how the plug has been vulnerable for over a year, and a fix is yet not been introduced, despite the makers being apprised about the security bug. The Belkin Wemo Insight still contains the same remote code execution, zero-day vulnerability almost a year after the bug was disclosed. The bug has been given the CVE-2018-6692 number.

Later Cybersecurity firm McAfee suggests that the Belkin WeMo Insight smart plug is vulnerable to malware attacks – and Belkin has taken this issue too lightly even after it was notified in 2016.

Earlier this month, Steve Povolny, McAfee head of advanced threat research came out swinging and said, “He claims that in May 2018 his team warned Belkin of a vulnerability (CVE-2019-6692) that could be exploited by an attacker to turn off the switch, overload it, or connect to the switch’s network to become an entry point to a larger attack.”

As a matter of fact that though Belkin realized the grave situation they never did anything about it. Instead, they apparently patched a vulnerability in a different product, which is not even in the market anymore.

According to Povolny McAfee publicly disclosed the vulnerability three months later to raise awareness that there is a definite security issue with the WeMo Insight smart plug. Still, Belkin did nothing about it.

“As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm,” he writes in a blog – but there doesn’t seem to be any hard evidence or a release date yet.

Povolny also suspects that malware creators are exploiting the WeMo Insight So it has taken almost a year for Belkin to do something about it – all that time, the vulnerability has remained exploitable. Vulnerability into IoT malware, because the devices are unpatched. The Bashlite malware is one such piece of malware that is already compromised IoT devices.

“As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation,” Povolny writes.

He also points out that IoT devices are prime targets for security issues, and companies like Belkin should be quick off the mark to fix issues, especially when attackers keep track of vulnerabilities that they can weaponize.

He adds that consumers should also apply basic security measures like keeping on top of product updates, using strong passwords, and keeping critical devices away from the IoT.

What’s more, those who use their work devices on home networks should also be concerned. “Just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised. Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops. This is a common method for cybercriminals to cross the boundary between home and enterprise. “

Related Resources:

Important Features of Vulnerability Scanners

Vulnerability Helps Researchers Expose Malware C&C Servers

TOP 10 PHP Vulnerability Scanners

Julia Sowells960 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register