Mike Davis who is a principal research scientist in IOActive found that Belkin WeMo home automation modules have multiple vulnerabilities which could endanger homes of half million users.
According to the report, the vulnerabilities found in Belkin WeMo devices can potentially cause threats to users' house from anything as serious as opening doors to wasting electricity.
The attackers can do to following via Belkin WeMo devices:
- Remotely control WeMo Home Automation attached devices over the Internet
- Perform malicious firmware updates
- Remotely monitor the devices (in some cases)
- Access an internal home network.
It was found that Belkin WeMo firmware images uses public key encryption to protect against unauthorized modifications, but the sign in credentials are leaked via the firmware that's installed on the devices. Once the hackers get hold of these credentials, they can use their firmware to bypass security checks during the devices' firmware update process.
Also, Belkin WeMo devices does not validate SSL certificates when getting updates from Belkin's cloud service. This allows the hackers to use any SSL certificate to 'fake' Belkin Cloud Services and using the connection to upload malicious firmware and get login credentials at the same time. Belkin WeMo devices was also found to have other vulnerabilities, such as communication protocols and vulnerable API. The infrastructure that communicates with WeMo are based on an abused protocol made for VoIP services that bypasses firewall or NAT restrictions. There's also has a vulnerable API.
Davis said, "As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer's exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home."
Meanwhile, the spokesperson said,"Our security teams are looking into the vulnerabilities now. I hope to have an official statement later on this afternoon on potential fixes and timing and will update you as soon as I can."
Update: Belkin responded to this article with a link stating that they have fixed the security vulnerabilities found in their Belkin WeMo devices. One of the issues was resolved on November 5th which prevents the XML injection attack. It is recommended that Belkin WeMo users update their firmware from its support website.
The firmware fix are as follows:
1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.
2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack
3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that enables the most recent firmware update