Earlier this month, McAfee head of advanced threat research Steve Povolny came out swinging against Belkin. He claims that in May 2018 his team warned Belkin of a vulnerability (CVE-2019-6692) that could be exploited by an attacker to turn off the switch, overload it, or connect to the switch’s network to become an entry point to a larger attack.
Despite Belkin’s acknowledgement of the vulnerability, it seems the company never did anything about it. Instead, they apparently patched a vulnerability in an entirely different product that doesn’t appear to be on the market anymore.
Three months later McAfee publicly disclosed the vulnerability to raise awareness that there is a definite security issue with the WeMo Insight smart plug. Still, Belkin did nothing about it, according to Povolny.
“As of April 10th, 2019, we have heard of plans for a patch towards the end of the month and are standing by to confirm,” he writes in a blog – but there doesn’t seem to be any hard evidence or a release date yet.
So it has taken almost a year for Belkin to do something about it – all that time, the vulnerability has remained exploitable. Povolny also suspects that malware creators are exploiting the WeMo Insight vulnerability into IoT malware, because the devices are unpatched. The Bashlite malware is one such piece of malware that is already compromising IoT devices.
“As this vulnerability requires network access to exploit the device, we highly recommend users of IoT devices such as the WeMo Insight implement strong WIFI passwords, and further isolate IoT devices from critical devices using VLANs or network segmentation,” Povolny writes.
He also points out that IoT devices are prime targets for security issues, and companies like Belkin should be quick off the mark to fix issues, especially when attackers keep track of vulnerabilities that they can weaponise.
He adds that consumers should also apply basic security measures like keeping on top of product updates, using strong passwords, and keeping critical devices away from the IoT.
What’s more, those who use their work devices on home networks should also be concerned. “Just because this is an IoT consumer device typically, does not mean corporate assets cannot be compromised. Once a home network has been infiltrated, all devices on that same network should be considered at risk, including corporate laptops. This is a common method for cyber criminals to cross the boundary between home and enterprise,” Polovny warns.