Researchers at Sternum, an IoT security company, recently explored the safety of a popular home automation mains plug from Belkin, called the Wemo Mini Smart Plug. Although the model is nearing the end of its shelf life, it is still available for purchase online and comes with detailed instructions for setup on Belkin’s website. The Wemo Mini Smart Plug is a power socket that interposes a Wi-Fi-controlled switch between the mains outlet on the front of the wall socket and an identical-looking mains outlet on the front of the smart plug. IoT devices, like the Wemo Mini Smart Plug, are known for their cybersecurity issues, and insecure home automation devices that allow remote access to electrical appliances can lead to security concerns. In this case, the researchers discovered a remote code execution hole in the Wemo Mini Smart Plug, which Belkin has declined to patch.
The researchers found a stack buffer overflow in the software of the Wemo Mini Smart Plug that allowed users to change the device’s FriendlyName. This is the name that is displayed when a user connects to the device with an app on their phone. The Belkin programmers reserved 68 bytes of temporary storage to keep track of the new name when users renamed the device, but forgot to check if the name supplied would fit into that 68-byte slot. The researchers found that they could crash the Wemo device at will by writing over the end of the memory buffer reserved for the new name, and corrupting data stored in the bytes that immediately followed. In a stack-based operating system, temporary memory buffers are followed by a block of memory that tells the program where to go when it’s finished what it’s doing right now. If an attacker can trample on the return address before the subroutine finishes running, the program will “unwind” itself to the wrong place, and the attacker can instruct the program to run code of their choice, thus delivering a remote code execution exploit.
To protect against exploits of this sort, two common defences are used: Address space layout randomisation (ASLR) and Stack canaries. ASLR deliberately loads programs at slightly different memory locations every time they run, making it harder for attackers to guess how to misdirect buggy programs in a way that ultimately gets control instead of merely crashing the code. Stack canaries are random blocks of data added to the return address, so that a buffer overflow will unavoidably and detectably overwrite the “canary” before it gets as far trampling on the return address. The researchers needed to force the Wemo plug to turn ASLR off to get their exploit to work quickly and reliably.
In conclusion, the Wemo Mini Smart Plug is a popular consumer device that is vulnerable to remote code execution exploits. The cybersecurity issues with IoT devices are well-known, and it is important to ensure that these devices are secure, especially when they could allow someone outside your house, or even on the other side of the world, to turn electrical appliances on and off at will. The researchers discovered a stack buffer overflow in the Wemo Mini Smart Plug that allowed users to change the device’s FriendlyName, and by overwriting the memory buffer reserved for the new name, they were able to corrupt data stored in the bytes that immediately followed. Although two common defences, ASLR and Stack canaries, are used to protect against exploits of this sort, the researchers were able to force the Wemo plug to turn ASLR off to get their exploit to work quickly and reliably. It is important for IoT device manufacturers to take cybersecurity seriously and to ensure that their devices are secure, even if they are nearing the end of their shelf life.