Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

McAfee finds new way to break thing that shouldn't be on your home network in the first place

By Shaun Nichols in San Francisco


A security vulnerability in "smart" power plugs can be exploited to infiltrate local computer networks.

The flaw, spotted in Belkin's Wemo Insight smartplugs, would potentially allow an attacker to not only manipulate the plug itself, but also allow hopping to other devices connected to the same Wi-Fi home network.

Researchers at McAfee this week said they reported the remote code execution flaw, designated CVE-2018-6692, to Belkin in March.

The exploit stems from a buffer overflow in the Universal Plug and Play (UPnP) software the Wemo plug uses to connect to stuff via the Wi-Fi network, enabling the owner to do things like turn the plugs on and off with a smartphone or PC.

McAfee's research team of Douglas McKee, Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza found that when the flaw is abused to inject instructions into memory, the plug itself could not only be commandeered, but the UPnP service could also be accessed to send commands to other devices on the network, effectively making the plugs a network gateway for attackers.

"A smart plug by itself has a low impact. An attacker could turn off the switch or at worst possibly overload the switch," the team explained.

"But if the plug is networked with other devices, the potential threat grows. The plug could now be an entry point to a larger attack."

In this case, the team said, it was able to create a proof of concept that combined the Wemo security flaw with weaknesses in the Roku API application to send HTTP commands to the set-top box via the smart-plug.

"Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content," the researchers explained.

Another IoT botnet has been found feasting on vulnerable IP cameras


"Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk."

The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.

Even when security measures are added to the devices, the third-party hardware used to make the appliances "smart" can itself contain security flaws or bad configurations that leave the device vulnerable.

"IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation," the McAfee researchers wrote.

"However, these devices run operating systems and require just as much protection as desktop computers." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

How to avoid getting burned at Black Hat, destroyed at DEF CON or blindsided by Bsides

Black Hat The noob's guide to Hacker Summer Camp in Las Vegas

It's Black Hat and DEF CON in Vegas this week. And yup, you know what that means. Hotel room searches for guns

Black Hat Because it's America, it's 2019, and after more mass shootings, let alone Mandalay Bay, no one's taking chances

Black-hat sextortionists required: Competitive salary and dental plan

Cybercrims aren't just raking it in – they're dishing it out too

Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec land

Roundup Your quick guide to hacks, patches and scandal

Big Purple Hat is on as IBM closes acquisition of enterprise Linux firm

All about hybrid cloud... and Red Hat will stay neutral, says IBM

Hey boffin, take a walk on the wild side: Stuffy academics need to let out their inner black hat

If hackers and nerds played together nicely, security would benefit, reckons compsci boffin

Red Hat signs off last set of numbers before it is likely gobbled by IBM

Only the Chinese now to OK $34.5bn slurp

Red Hat shoves OpenShift in VMware's software-defined data centre stack

New reference architecture rolls together containers and VMs

IBM ships software portfolio into containers thanks to Red Hat providing the packaging

Spreads the Openshift love around for Cloud Paks

'Black hat' extortionist thrown back in the clink after Yelp-slamming biz

Protip: When freshly paroled, don't immediately trash your victim online