Security MadLibs: Your IoT electrical outlet can now pwn your smart TV
McAfee finds new way to break thing that shouldn't be on your home network in the first place
A security vulnerability in "smart" power plugs can be exploited to infiltrate local computer networks.
The flaw, spotted in Belkin's Wemo Insight smartplugs, would potentially allow an attacker to not only manipulate the plug itself, but also allow hopping to other devices connected to the same Wi-Fi home network.
Researchers at McAfee this week said they reported the remote code execution flaw, designated CVE-2018-6692, to Belkin in March.
The exploit stems from a buffer overflow in the Universal Plug and Play (UPnP) software the Wemo plug uses to connect to stuff via the Wi-Fi network, enabling the owner to do things like turn the plugs on and off with a smartphone or PC.
McAfee's research team of Douglas McKee, Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza found that when the flaw is abused to inject instructions into memory, the plug itself could not only be commandeered, but the UPnP service could also be accessed to send commands to other devices on the network, effectively making the plugs a network gateway for attackers.
"A smart plug by itself has a low impact. An attacker could turn off the switch or at worst possibly overload the switch," the team explained.
"But if the plug is networked with other devices, the potential threat grows. The plug could now be an entry point to a larger attack."
In this case, the team said, it was able to create a proof of concept that combined the Wemo security flaw with weaknesses in the Roku API application to send HTTP commands to the set-top box via the smart-plug.
"Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content," the researchers explained.
"Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk."
The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on network connectivity to existing appliances, many IoT devices have little in the way of built-in network security.
Even when security measures are added to the devices, the third-party hardware used to make the appliances "smart" can itself contain security flaws or bad configurations that leave the device vulnerable.
"IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation," the McAfee researchers wrote.
"However, these devices run operating systems and require just as much protection as desktop computers." ®