Researchers say WeMo devices flawed, suggest deactivating

Researchers say WeMo devices flawed, suggest deactivating

Summary: Hackers could remotely take over devices, power outlets in your home

TOPICS: Security, Privacy

Researchers are recommending that people stop using Belkin's WeMo Home Automation system devices after flaws were uncovered that expose passwords and cryptographic signing keys that could give hackers the ability to update firmware.

Late Tuesday afternoon, Belkin, which had been called out by researchers for not addressing the flaws, said it was preparing a statement. The statement was not available before this story posted. (The company has sinced issued a statement and patched the flaws.)

The WeMo vulnerabilities uncovered by research firm IOActive revealed that hackers could control devices and even acquire internal LAN access. IOActive's Mike Davis reported the flaws to US-CERT, which also issued an advisory and reported that it is currently unaware of "practical solutions" to the problem.

The advisories come just a few months after another researcher found flaws in the WeMo baby monitor that would allow attackers to use it as a bugging device.

IOActive said Belkin has not produced fixes for the flaws it discovered, which led the researchers to take the unusual step of recommending users deactivate WeMo devices. Those devices, all remotely addressable, include switches, electrical outlets, motion sensors and NetCams. Belkin is also marrying WeMo technology with appliances this year, including crockpots and coffee makers.

Just last week, Belkin announced it was named to Fast Company magazine's list of Top 10 Most Innovative Companies in the Internet of Things (IoT).

The uncovering of these flaws by IOActive, however, point to some of the concerns around the growing IoT trend that is sweeping the consumer space and hooking to the Internet everything from refrigerators to thermostats.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk," Davis said in a statement.

Google recently spent $3.2 billion to acquire Nest, touching off talk that Google planned to go much deeper into the smart, connected device revolution. In addition, smart devices and IoT innovations dominated the recent Consumer Electronics Show.

While IoT technology may be new to the consumer space, the manufacturing industry and the shop floor are no strangers to smart devices. The only difference is that they are not readily addressable over public networks.

The flaws IOActive uncovered in WeMo depend on "cloud" network access. The research firm said the cloud features of WeMo devices are secure when used on a local network.

IOActive reported that WeMo's "Light Switch" firmware contains a set of issues that can be combined into a number of vulnerabilities, including remote control of devices, malicious firmware updates, and in some instances remote monitoring and internal LAN access.

All of the WeMo products include iPhone and Android applications for remotely monitoring on-board sensors and manipulating device controls.

IOActive found flaws in WeMo's implementation of the STUN/TURN protocol, which provides remote access to support firmware updates, and a GPG-based encrypted firmware distribution methods used to maintain device integrity during updates. The flaws allowed attackers to by-pass those features.

WeMo firmware images used to update devices are signed with public key encryption. But the researchers found the signing key and password are leaked on the firmware that is already installed on the devices.

Other flaws were discovered in the delivery mechanism for firmware update notices that allowed attackers to spoof the delivery feed, and a flaw in the WeMo Restful service that made it vulnerable to attack.The WeMo server API (application programming interface) also was found to have an XML inclusion vulnerability, which would allow attackers to compromise all WeMo devices.

US-CERT reported attackers would be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.

Topics: Security, Privacy


John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I have expressed concerns

    about the security of the Internet of things for a while. I don't see the Internet of things taking off until there is a significant security structure in place. A few high profile failures could torpedo the entire concept. People are casual about computer and smartphone security. They are considerable less casual about the security of their home and family. The industry needs to get out in front of this-- not on a PR level-- but on a technical level
  • Security is only part of the problem

    I agree that security concerns are a serious problem with the Internet of Things. To me, however, the greater problem is essentially having our family's lives and activities an open book to marketers, the government, and who knows who else. Lusting after that goldmine of data is really what's behind the corporate impetus for the IoT. Can we really trust governments and large corporations to use all that data respectfully and wisely? I don't think so.
  • Cheap & careless design

    Belkin to me is just a company that makes cheap devices for tech people. I don't ever consider them the type of company that focusses on anything security wise in any big way. A lot of companies in tech are like this. They seem to introduce products based solely on a potential for profitability and they are popular products. Tech security is popular right now and no doubt consumers are looking for alternatives to expensive security services. Even phone companies and cable companies have now begun to jump on the home security bandwagon. To me any signal passing through the internet and also using wireless technology has at least two major flaws that can be exploited.