Belkin patches vulnerabilities in WeMo devices

Summary:Vendor patches firmware, API server, smartphone apps

WeMo developer Belkin has patched five vulnerabilities in its home automation lineup discovered by a research firm that detailed the flaws and advised people to deactivate the devices.

Belkin late Tuesday issued a statement saying it had been in contact with the researchers prior to their advisory being issued and had fixes for five vulnerabilities as of Feb. 18.

Research firm IOActive, which reported the flaws , said specifically in their report issued Feb. 18 that the vulnerabilities had not been patched and advised users to stop using WeMo devices. In addition, US-CERT issued an advisory and reported that it was currently unaware of "practical solutions" to the problem.

Belkin said its patches fixed issues in its WeMo API server, WeMo firmware and WeMo apps for iPhone and Android. Those were the issues detailed in reports by rIOActive and US-CERT reports.

The IOAcitve researchers said hackers could take control of WeMo devices and even acquire internal LAN access. IOActive recommended users turn off the devices and IOActive reported the flaws to US-CERT, which then issued its own an advisory.

The news came a week after Belkin announced it was named to Fast Company magazine's list of Top 10 Most Innovative Companies in the Internet of Things (IoT).

Late Tuesday, Belkin released a statement saying it "was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates."

Belkin said devices with the recent firmware release (version 3949) are not at risk for malicious firmware attacks and are not at risk for remote control or monitoring of WeMo devices from unauthorized devices.

The company said smartphone users should download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.

The Belkin statement said specific fixes included:

  • An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.
  •  An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack
  • An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

The uncovering of these flaws by IOActive, point to some of the concerns around the growing IoT trend that is sweeping the consumer space and hooking to the Internet everything from refrigerators to thermostats.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk," said IOActive researcher Mike Davis in a statement.

Topics: Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.