Hacking smart plugs to enter business networks

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

McAfee researchers have discovered a buffer overflow flaw in Belkin’s Wemo Insight Smart Plug that can be exploited by attackers to access and interfere with other networked devices and the network itself.

hacking smart plugs

What is a smart plug?

A smart plug is plugged into a standard wall socket and allows users to remotely turn on and off any appliance that is plugged into it, either immediately or by scheduling the action(s).

A smart plug is connected to the Internet and is controlled via an app (in this case, the Wemo mobile application).

About the vulnerability (CVE-2018-6692)

CVE-2018-6692 is a stack-based buffer overflow vulnerability in the libUPnPHndlr.s library. It can allow remote attackers to bypass local security protection via a crafted HTTP post packet.

“Can this vulnerability lead to a useful attack? A smart plug by itself has a low impact,” they explained. “An attacker could turn off the switch or at worst possibly overload the switch. But if the plug is networked with other devices, the potential threat grows.”

To demonstrate the risk, they demonstrated a possible attack by exploiting the vulnerability to poke a hole in the network router, creating a backdoor channel and finally gaining control of a TCL smart TV connected to the network.

“The Roku API implementation on the TV uses simple unencrypted HTTP GET/POST requests to issue commands and does not authenticate the machine sending these commands, making remote control trivial,” they noted.

“Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content. Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect.”

For a video demonstration of the attack and a detailed account on how they went about poking and probing the smart plug, you can check out their blog post.

They reported the flaw to Belkin, but there is no mention of whether it has been fixed.

“Discoveries such as CVE-2018-6692 underline the importance of secure coding practices on all devices. IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation,” the researchers noted.

“However, these devices run operating systems and require just as much protection as desktop computers. A vulnerability such as we discovered could become the foothold an attacker needs to enter and compromise an entire business network.”