Sternum suggests avoiding the exposure of any of these units to the wider Internet, segmenting it into a subnet away from sensitive devices, if possible. A vulnerability could be triggered through Wemo’s cloud-based interface, however.
The community app that makes the vulnerability possible is pyWeMo (an updated fork of the version used at my coworking space). Newer Wemo devices offer more features, but they still respond to network commands sent from pyWeMo without any password or authentication.
Belkin’s Wemo devices have caused smart home security headaches before. In February 2014, security researchers revealed that its devices leaked passwords through a firmware update workflow; Belkin said it had already patched the issues in a firmware update, though it seemingly told neither the original reporting researcher nor US-CERT (now Cybersecurity and Infrastructure Security Agency). In 2019, researchers reported that a vulnerability reported one year prior to Belkin was still an issue.
Wemo’s vulnerable plugs were some of the most popular and simple available, recommended by many smart home guides and seemingly purchased by thousands of buyers, based on reviews. While they debuted in 2019, they’re not smartphones or tablets. Four years later, people didn’t have a good reason to get rid of them until now.
I have a couple at my home that do mundane things like “toggle the string lights on my banister on at sunset and off at 10 pm” and “turn on the white noise machine when I’m too lazy to get up from bed to do that.” They will be secure from remote code executions once they have been shredded and sorted into component metals by my regional e-waste facility.
One thing that would help Wemo’s devices escape their Internet-exposed vulnerabilities and end-of-life support shortfalls would be offering local-only support through Matter. Belkin, however, is not eager to jump into Matter support just yet, saying it may offer it in its Wemo products once it can “find a way to differentiate them.” One might suggest that Belkin has now been presented with at least one notable way its future products could be different.