Even the US government is warning about weaknesses in Belkin WeMo Home Automation kit
Half a million people could have been affected by vulnerabilities in Belkin WeMo Home Automation devices, which could have been used to carry out destructive attacks on users’ homes, but the company says it has now fixed the problems so users should be protected.
IOActive researcher Mike Davis found it would be possible to remotely control WeMo Home Automation attached devices over the Internet, or launch malicious firmware updates. In theory, these weaknesses could be used to cause a fire or simply use up electricity, costing the target money, the security consultancy warned.
One of the most significant vulnerabilities is that the Belkin kit’s signing key and password are leaked on the firmware already installed on the devices. This could allow attackers to use that signing key and password to sign their own malicious firmware.
Another problem is that Belkin WeMo devices do not validate Secure Socket Layer (SSL) certificates. Any hacker that can impersonate Belkin’s cloud-based update services and push malicious firmware updates onto the connected machines can capture credentials too.
According to the security firm, Belkin had not responded to repeated requests from both IOActive and the US government’s Computer Emergency Response Team (CERT), which has also put out an advisory on the weaknesses.
But Belkin told TechWeekEurope the problems had been addressed. “Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of 18 February, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates,” a spokesperson said.
“Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.”
Davis warned about the potential for abuse of the Internet of Things. “As we connect our homes to the Internet, it is increasingly important for Internet of Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles,” Davis said.
“This mitigates their customer’s exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home.”
Security companies have been warning about the potential for attacks exploiting automated networks of connected devices, known as the Internet of Things. Earlier this year, it was suggested connected things like fridges were used to send vast quantities of spam messages, a claim that was later disputed by security giant Symantec, which said the devices were simply on the same network as infected Windows PCs.
Are you a security expert? Try our quiz!