When U.S. CERT comes knocking, it seems unwise for a company to stick its head in the sand and hide. But that’s reportedly what happened when the CERT division of the Carnegie Mellon Software Engineering Institute tried to contact Belkin about numerous vulnerabilities discovered in Belkin WeMo home automation devices.
Belkin WeMo security holes threaten over half a million users
CERT was contacted by researchers from IOActive after they uncovered “multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users.” Since Belkin failed to issue a fix for any of the flaws, IOActive “recommends unplugging all devices from the affected WeMo products.”
If you’ve dropped any money into WeMo products, such as Belkin WeMo switch and motion, WeMo Light switch, Insight switch and WeMo switch, then you are probably not pleased or fond of the idea of unplugging your WeMo versions of home automation. With apps for both Android and iOS to make setup quick and easy, WeMo products are some of the most popular home automation devices on the market. However, according to the CERT advisory for WeMo, “A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.” Furthermore, “We are currently unaware of a practical solution to this problem.”
There are five separate vulnerabilities listed in CERT’s advisory, starting with “Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.”
IOActive researchers published a five-page report [pdf] detailing the WeMo flaws, but warned in simple terms that the WeMo vulnerabilities “expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.”
Additionally, once an attacker has established a connection to a WeMo device within a victim’s network; the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage.
IOActive is far from the first to warn about WeMo’s hackability; in January 2013, researcher Daniel Buentello plugged a lamp into a WeMo switch and “made it blink like it was possessed, with the relay clicking on and off, faster and faster like it might blow up until it had a strobe effect.” In October 2013, a researcher highlighted security flaws in Belkin’s WeMo Switch, Wi-Fi NetCam and WeMo Baby that made eavesdropping easy.
Of course it’s not just WeMo; at the 2013 Black Hat Home Invasion v2.0 presentation, Trustwave researchers discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge…as well as a $6,000 Satis smart toilet. In fact, hacking and attacking automated homes, targeting Zigbee and Z-wave wireless protocols, were hot topics in 2013 at Black Hat USA and Def Con. In August 2013, an attacker hacked a Foscam wireless IP camera to spy on and curse at a baby. TRENDnet IP cameras have been a Peeping Tom’s paradise since at least 2011.
The Internet of Things is expected to be “roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined,” according to a forecast from BI Intelligence. There are currently about 1.9 billion IoT devices, but that’s predicted to reach 9 billion by 2018. Cisco predicts the IoT will grow to 50 billion devices by 2020. Have you ever stopped to wonder how many of those 9 – 50 billion IoT devices will be insecure and exploitable?
Belkin had better get its head out of the sand and patch these holes lickety-split because you know not everyone will hear about the flaws or bother to toss out their WeMo investment even if they do. If half of the people don’t, and WeMo is hacked or were to cause fires in all those, about a quarter of a million homes…now that would be an ugly lawsuit. Get busy, Belkin!