GIVEAWAY: Sabrent Rocket Q 8TB NVMe PCIe M.2 SSD worth $2000!

Multiple vulnerabilities found in Belkin WeMo home automation modules

More than one vulnerabilities were found in Belkin WeMo devices that can put user's home and connected devices in attacker's control.

Published Wed, Feb 19 2014 2:31 AM CST   |   Updated Mon, Oct 19 2020 8:15 PM CDT

Mike Davis who is a principal research scientist in IOActive found that Belkin WeMo home automation modules have multiple vulnerabilities which could endanger homes of half million users.

Multiple vulnerabilities found in Belkin WeMo home automation modules | TweakTown.com

According to the report, the vulnerabilities found in Belkin WeMo devices can potentially cause threats to users' house from anything as serious as opening doors to wasting electricity.

The attackers can do to following via Belkin WeMo devices:

  • Remotely control WeMo Home Automation attached devices over the Internet
  • Perform malicious firmware updates
  • Remotely monitor the devices (in some cases)
  • Access an internal home network.

It was found that Belkin WeMo firmware images uses public key encryption to protect against unauthorized modifications, but the sign in credentials are leaked via the firmware that's installed on the devices. Once the hackers get hold of these credentials, they can use their firmware to bypass security checks during the devices' firmware update process.

Also, Belkin WeMo devices does not validate SSL certificates when getting updates from Belkin's cloud service. This allows the hackers to use any SSL certificate to 'fake' Belkin Cloud Services and using the connection to upload malicious firmware and get login credentials at the same time. Belkin WeMo devices was also found to have other vulnerabilities, such as communication protocols and vulnerable API. The infrastructure that communicates with WeMo are based on an abused protocol made for VoIP services that bypasses firewall or NAT restrictions. There's also has a vulnerable API.

Davis said, "As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer's exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home."

Meanwhile, the spokesperson said,"Our security teams are looking into the vulnerabilities now. I hope to have an official statement later on this afternoon on potential fixes and timing and will update you as soon as I can."

Update: Belkin responded to this article with a link stating that they have fixed the security vulnerabilities found in their Belkin WeMo devices. One of the issues was resolved on November 5th which prevents the XML injection attack. It is recommended that Belkin WeMo users update their firmware from its support website.

The firmware fix are as follows:

1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.

2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack

3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that enables the most recent firmware update

NEWS SOURCE:securityweek.com

After being a long time PC enthusiast and a former contributor for many Indian based PC and Tech forums, Roshan now joins TweakTown covering tech news and also any developments from India. Like many enthusiasts, with years of being involved in many Indian tech forums and running his own tech site, he's commonly referred by his forum nickname 'The Sorcerer' by many old and new fellow PC enthusiasts, followed by few companies from time to time. He's also the winner of the TweakTown's Computex 2012 Taipei trip. If any free time is left, Roshan prefers to play FPS games.

Related Tags

Newsletter Subscription
Latest News
View More News
Latest Reviews
View More Reviews
Latest Articles
View More Articles