Wemo: Difference between revisions

On 16 May 2023, multiple websites reported a Sternum study regarding a buffer overflow vulnerability in the Wemo Mini Smart Plug V2.<ref>{{Cite web |last1=Serper |first1=Amit |last2=Yakar |first2=Reuven |title=‘FriendlyName’ Buffer Overflow Vulnerability in Wemo Smart Plug V2 |url=https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/ |website=Sternum |date=16 May 2023 |access-date=19 Feb 2026 |url-status=live |archive-url=https://web.archive.org/web/20230516160431/https://sternumiot.com/iot-blog/mini-smart-plug-v2-vulnerability-buffer-overflow/ |archive-date=16 May 2023}}</ref> The study mentions the device could be exploited through a program called pyWemo<ref>{{Cite web |last=Lakshmanan |first=Ravie |title=Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs |url=https://thehackernews.com/2023/05/serious-unpatched-vulnerability.html |website=The Hacker News |date=17 May 2023 |access-date=19 Feb 2026 |url-status=live |archive-url=https://web.archive.org/web/20230517155641/https://thehackernews.com/2023/05/serious-unpatched-vulnerability.html |archive-date=17 May 2023}}</ref> and potentially through cloud controls.<ref>{{Cite web |last=Davis |first=Wes |title=PSA: time to recycle your old Wemo smart plugs (if you haven’t already) |url=https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability |website=The Verge |date=16 May 2023 |access-date=29 Mar 2025 |url-status=live |archive-url=https://web.archive.org/web/20230517021155/https://www.theverge.com/2023/5/16/23725290/wemo-smart-plug-v2-smart-home-security-vulnerability |archive-date=17 May 2023}}</ref> In their official response, Wemo stated "we believe that bad actors cannot exploit this vulnerability unless they have access to the user's local network",<ref>{{Cite web |author=WEMOcares |date=17 May 2023 |title=WEMOcares on X |url=https://nitter.catsarch.com/WEMOcares/status/1658963426230562819 |url-status=live |archive-url=https://web.archive.org/web/20260324184234/https://nitter.catsarch.com/WEMOcares/status/1658963426230562819 |archive-date=24 Mar 2026 |access-date=19 Mar 2025 |website=[[X]]}}</ref> and "We discontinued the Wemo Mini Smart Plug V2 (F7C063) in 2020"<ref>{{Cite web |author=WEMOcares |date=17 May 2023 |title=WEMOcares on X |url=https://nitter.catsarch.com/WEMOcares/status/1658963635882938374 |url-status=live |archive-url=https://web.archive.org/web/20260324184237/https://nitter.catsarch.com/WEMOcares/status/1658963635882938374 |archive-date=24 Mar 2026 |access-date=19 Feb 2026 |website=[[X]]}}</ref> despite not making this information publicly available prior. During this report, the Wemo app hadn't been updated in two years, with the most recent update being on February 23, 2021, as previously mentioned.<ref name="AAS" />

Some users of Wemo have noticed their switches connect to multiple unrelated domains, such as to CNN and [[wikipedia:Fastly|Fastly]].<ref>{{Cite web |author=sd_042 |title=Fun fact: Wemo switches act as a DNS server |url=https://old.reddit.com/r/WeMo/comments/1auslst/fun_fact_wemo_switches_act_as_a_dns_server/ |website=[[Reddit]] |date=19 Feb 2024 |access-date=29 Mar 2025 |url-status=live |archive-url=http://web.archive.org/web/20240307040322/https://old.reddit.com/r/WeMo/comments/1auslst/fun_fact_wemo_switches_act_as_a_dns_server/ |archive-date=7 Mar 2024}}</ref> Other reports mention each Wemo device making 160,000+ [[wikipedia:Domain_Name_System|DNS]] requests in a 24-hour timeframe.<ref>{{Cite web |author=D3-Doom |title=Fun fact: Wemo switches act as a DNS server |url=https://old.reddit.com/r/WeMo/comments/1auslst/fun_fact_wemo_switches_act_as_a_dns_server/ktxkqx8/ |website=[[Reddit]] |date=8 Mar 2024 |access-date=19 Feb 2026 |url-status=live |archive-url=https://web.archive.org/web/20260222233252/https://old.reddit.com/r/WeMo/comments/1auslst/fun_fact_wemo_switches_act_as_a_dns_server/ktxkqx8/ |archive-date=22 Feb 2026}}</ref>