Picture this. It's night, and your doorbell rings. You turn on a couple of lights and go to check, but just as you turn the door handle, your lights go out and a couple of intruders shove their way in. OK, that's not a likely scenario, but until Belkin fixed vulnerabilities Bitdefender's security team discovered in the Belkin Wemo Insight Smart Plug, it was at least a possibility. More likely exploits could have included monitoring your activities and presence based on your use of the smart plugs, pranking you by turning lights on and off, or just taking control of the device and using it as a beachhead for sniffing out all the private data on your home network.

Bitdefender's Internet of Things security team has partnered with PCMag to put popular IoT devices to the test. We let them know which devices are important, they give us the details of their findings, and the company behind the device gets a chance to fix any security holes. Everybody wins! Last time we reported a vulnerability in a Ring Doorbell. This time we're turning our attention to smart plugs.

Just What Is This Smart Plug?

You plug the Wemo Insight Smart Plug into a wall socket, connect it to your home network, and plug a lamp or other electric gadget into it. Now you can turn devices on and off remotely using your iOS or Android phone. You can even program it to take action automatically using IFTTT scripts.

This product goes beyond its competition in several ways. Most notably, it monitors the power used through the plug and even tells you how much it's costing you. Our hardware team saw fit to designate it an Editors' Choice, because it's smarter than the average smart plug. Security leaks wouldn't be so smart, though, so we asked the Bitdefender team to put this gadget to the test.

Secure Communications

If you want a device to respond to commands from your smartphone, it needs to communicate in several different ways. It needs access to your local network, naturally. Through the local network, it must securely reach its cloud-based control center. And the smartphone app also needs a secure connection to that control center. The Bitdefender team, led by Level 9001 Wizard (per his Twitter account) Alex "Jay" Balan, scrutinized all these connections and found some good news.

Communication between the device and the cloud server uses secure HTTPS, which is a good start. Authentication relies on the device's MAC address, combined with a secret key. Individual commands use HTTPS as well, and they're digitally signed to prevent tampering.

The team did discover that the device receives firmware updates over an insecure HTTP connection. That could be bad, because an attacker could conceivably force a compromised firmware update, thereby taking total control of the device. However, Belkin built in a mechanism to discard all but verified, legitimate firmware updates.

Communication between the smartphone app and the cloud is also secured. Each message includes the smartphone's unique ID and its MAC address. The server only accepts commands from known devices. MAC addresses can be spoofed, of course, and Bitdefender's Balan confirmed that the same is true of smartphone identifiers. But he pointed out that it would be quite difficult for an attacker to get hold of a valid MAC address and smartphone ID pair matching a specific device. Besides, they don't need to, because there is (or rather was) another way in.

Promiscuous Communication

When you're at the office and want to turn on your living room lights, the smartphone app sends a request to the cloud, which in turn commands the plug to turn on. But when your phone is on the local network, it skips the cloud and sends requests directly. In fact, any device on your local network can send commands to the device, or ask it for information, and this internal communication isn't encrypted in any way.

Building on this promiscuous communication, the team found a way to execute arbitrary code on the device. It works using what's called a buffer overrun. Picture a variable of, say, 10 bytes, followed in memory by 1,000 bytes of executable code. The attack dumps 1,010 bytes of "data" into the variable, overwriting the code part with its own exploit. It only works because some programmer forgot to make sure to trim any data for that variable to 10 bytes, but that happens a lot.

In this case, Balan suggested the attacker could leave a backdoor into your network. That would allow for unlimited access to your devices, your documents, and pretty much anything on the network.

This only works if the attacker has already penetrated your network in some way. However, Balan pointed out that there are many ways to do that. "People and vendors still don't realize that they should treat the local network as hostile, just as if it were internet-facing," said Balan. "It's quite often that we find ways to breach the home network perimeter."

Hardware Hijinks

It's one thing for a hacker to gain network access, but quite another to have someone in your house with physical access to your devices. If that happens, all bets are off. There are plenty of ways a home invader can subvert your security, including hacking your Belkin plugs.

The attack is possible because the device exposes a serial connection. Bitdefender's ace device crackers found a way to reach in through that connection and reset the device's root password, giving them full control.

We asked Balan if an attacker could crack the device somewhere in the supply chain, before you ever receive it. He replied that indeed it's possible. "But if I wanted to do that," he continued, "I could do it with such a long list of devices, including Android phones and laptops. But I admit it's much cooler and safer with IoT since some people don't really use security solutions for IoT at home."

We went on to ask whether such a hardware-only vulnerability even matters, since an intruder who has physical access to your devices can do so much more. "In a perfect world there shouldn't be any way to tamper with the device, physical access or not," replied Balan. "For example, [a hacker] won't be able to access anything on Bitdefender Box. If anyone could, they would gift backdoored Box units to targets." He went on to say that thinking about hardware vulnerabilities in this way can be "a dangerous bias."

This has necessarily been a high-level description of just what the Bitdefender team found. Check out Bitdefender's blog post, where the team lays out these findings. If you have the technical chops to handle full details, dig into Bitdefender's whitepaper on the subject.

The Fix Is In

Bitdefender practices responsible disclosure of vulnerabilities, meaning they notify the company and give it 90 days to correct the problem before disclosure. They informed Belkin of their findings in mid-June, and Belkin pushed out a firmware fix on August 1, well before the 90-day deadline.

These days, just about any device may be internet-aware, from refrigerators that tell you when you're low on milk to garage doors that alert you if they're left open. Many of these devices, like video doorbells and that smart garage door, aim to protect your security in some way. But all too many of them don't bake security into their code, or accidentally leave security holes. PCMag will continue to supply the Bitdefender team with recommendations for devices to put through the wringer, revealing any security problems and getting them fixed.

Further Reading

Security Reviews