Researchers say WeMo devices flawed, suggest deactivating

Hackers could remotely take over devices, power outlets in your home
Written by John Fontana, Contributor

Researchers are recommending that people stop using Belkin's WeMo Home Automation system devices after flaws were uncovered that expose passwords and cryptographic signing keys that could give hackers the ability to update firmware.

Late Tuesday afternoon, Belkin, which had been called out by researchers for not addressing the flaws, said it was preparing a statement. The statement was not available before this story posted. (The company has sinced issued a statement and patched the flaws.)

The WeMo vulnerabilities uncovered by research firm IOActive revealed that hackers could control devices and even acquire internal LAN access. IOActive's Mike Davis reported the flaws to US-CERT, which also issued an advisory and reported that it is currently unaware of "practical solutions" to the problem.

The advisories come just a few months after another researcher found flaws in the WeMo baby monitor that would allow attackers to use it as a bugging device.

IOActive said Belkin has not produced fixes for the flaws it discovered, which led the researchers to take the unusual step of recommending users deactivate WeMo devices. Those devices, all remotely addressable, include switches, electrical outlets, motion sensors and NetCams. Belkin is also marrying WeMo technology with appliances this year, including crockpots and coffee makers.

Just last week, Belkin announced it was named to Fast Company magazine's list of Top 10 Most Innovative Companies in the Internet of Things (IoT).

The uncovering of these flaws by IOActive, however, point to some of the concerns around the growing IoT trend that is sweeping the consumer space and hooking to the Internet everything from refrigerators to thermostats.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk," Davis said in a statement.

Google recently spent $3.2 billion to acquire Nest, touching off talk that Google planned to go much deeper into the smart, connected device revolution. In addition, smart devices and IoT innovations dominated the recent Consumer Electronics Show.

While IoT technology may be new to the consumer space, the manufacturing industry and the shop floor are no strangers to smart devices. The only difference is that they are not readily addressable over public networks.

The flaws IOActive uncovered in WeMo depend on "cloud" network access. The research firm said the cloud features of WeMo devices are secure when used on a local network.

IOActive reported that WeMo's "Light Switch" firmware contains a set of issues that can be combined into a number of vulnerabilities, including remote control of devices, malicious firmware updates, and in some instances remote monitoring and internal LAN access.

All of the WeMo products include iPhone and Android applications for remotely monitoring on-board sensors and manipulating device controls.

IOActive found flaws in WeMo's implementation of the STUN/TURN protocol, which provides remote access to support firmware updates, and a GPG-based encrypted firmware distribution methods used to maintain device integrity during updates. The flaws allowed attackers to by-pass those features.

WeMo firmware images used to update devices are signed with public key encryption. But the researchers found the signing key and password are leaked on the firmware that is already installed on the devices.

Other flaws were discovered in the delivery mechanism for firmware update notices that allowed attackers to spoof the delivery feed, and a flaw in the WeMo Restful service that made it vulnerable to attack.The WeMo server API (application programming interface) also was found to have an XML inclusion vulnerability, which would allow attackers to compromise all WeMo devices.

US-CERT reported attackers would be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.

Editorial standards