Belkin WeMo flaws could allow remote control of home electronics
Home automation devices, which allow users to remotely monitor and switch electronics on and off via their smartphones, contain a number of serious vulnerabilities, researchers have found.
According to Seattle-based security firm IOActive, Belkin's line of WeMo home automation devices are vulnerable to a range of hacks – from remote control of devices, to malicious firmware updates or attacks on other devices connected to users' internal home networks.
On Tuesday, IOActive sent SCMagazine.com the details on the bugs via a news release. That day, the CERT division of the Carnegie Mellon Software Engineering Institute (SEI) also posted an advisory on the five vulnerabilities.
According to SEI, the Belkin flaws entail a vulnerability in the WeMo Home automation firmware, related to the use of a hard-coded cryptographic key, which could be obtained by an attacker wishing to sign a malicious firmware update.
In addition, other flaws include the WeMo devices not having a local certificate store to verify the integrity of secure sockets layer (SSL) connections, and the clear text transmission of sensitive data sent over the devices.
SEI also noted an XML injection vulnerability, which could lead to the contents of system files being exposed to attackers, and a security issue that could allow an attacker with control of one WeMo device to relay connections to another device in the Belkin line.
Belkin's website advertises four WeMo home automation devices, which allow users to manage a number of home electronics, including light switches, heaters, fans, lamps or stereos. After downloading WeMo apps compatible with Android and iPhones, users are able to remotely control or monitor devices while out of the house.
The WeMo Insight Switch, for instance, sends information to users about energy usage of home devices, like A/C units, TVs and washing machines.
“The vulnerabilities found within the Belkin WeMo devices expose users to several potentially costly threats, from home fires with possible tragic consequences to the simple waste of electricity,” the Tuesday release from IOActive said.
The firm also added that other attacks, impacting users' computers and mobile devices, could be scaled via the WeMo flaws.
“Additionally, once an attacker has established a connection to a WeMo device within a victims' network, the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage,” IOActive revealed.
According to the firm, Belkin did not respond to IOActive's attempts to reach out about the vulnerabilities.
In the meantime, IOActive recommends that users unplug all devices that are connected to the impacted WeMo products.
UPDATE: On Wednesday, a Belkin spokeswoman told SCMagazine.com in a statement that the company has addressed the "five potential vulnerabilities" affecting the WeMo line.
"Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates," the company said via the statement.
"Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices as described in the report. Belkin urges such users to download the latest app from the App Store (version 1.4.2) or Google Play Store (version 1.1.2) and then upgrade the firmware version through the app."