Belkin patches vulnerabilities in WeMo devices

Vendor patches firmware, API server, smartphone apps

WeMo developer Belkin has patched five vulnerabilities in its home automation lineup discovered by a research firm that detailed the flaws and advised people to deactivate the devices.

Belkin late Tuesday issued a statement saying it had been in contact with the researchers prior to their advisory being issued and had fixes for five vulnerabilities as of Feb. 18.

WeMo flaws

Researchers say WeMo devices flawed, suggest deactivating

Hackers could remotely take over devices, power outlets in your home

Read More

Research firm IOActive, which reported the flaws , said specifically in their report issued Feb. 18 that the vulnerabilities had not been patched and advised users to stop using WeMo devices. In addition, US-CERT issued an advisory and reported that it was currently unaware of "practical solutions" to the problem.

Belkin said its patches fixed issues in its WeMo API server, WeMo firmware and WeMo apps for iPhone and Android. Those were the issues detailed in reports by rIOActive and US-CERT reports.

The IOAcitve researchers said hackers could take control of WeMo devices and even acquire internal LAN access. IOActive recommended users turn off the devices and IOActive reported the flaws to US-CERT, which then issued its own an advisory.

The news came a week after Belkin announced it was named to Fast Company magazine's list of Top 10 Most Innovative Companies in the Internet of Things (IoT).

Late Tuesday, Belkin released a statement saying it "was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates."

Belkin said devices with the recent firmware release (version 3949) are not at risk for malicious firmware attacks and are not at risk for remote control or monitoring of WeMo devices from unauthorized devices.

The company said smartphone users should download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.

The Belkin statement said specific fixes included:

  • An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.
  •  An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack
  • An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

The uncovering of these flaws by IOActive, point to some of the concerns around the growing IoT trend that is sweeping the consumer space and hooking to the Internet everything from refrigerators to thermostats.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk," said IOActive researcher Mike Davis in a statement.