IOActive researchers uncovered numerous vulnerabilities in all Belkin WeMo home automotation devices that put over half a million WeMo users at risk of being hacked, but when CERT tried to contact Belkin, Belkin chose not to respond at all. When U.S. CERT comes knocking, it seems unwise for a company to stick its head in the sand and hide. But that’s reportedly what happened when the CERT division of the Carnegie Mellon Software Engineering Institute tried to contact Belkin about numerous vulnerabilities discovered in Belkin WeMo home automation devices.CERT was contacted by researchers from IOActive after they uncovered “multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users.” Since Belkin failed to issue a fix for any of the flaws, IOActive “recommends unplugging all devices from the affected WeMo products.”If you’ve dropped any money into WeMo products, such as Belkin WeMo switch and motion, WeMo Light switch, Insight switch and WeMo switch, then you are probably not pleased or fond of the idea of unplugging your WeMo versions of home automation. With apps for both Android and iOS to make setup quick and easy, WeMo products are some of the most popular home automation devices on the market. However, according to the CERT advisory for WeMo, “A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.” Furthermore, “We are currently unaware of a practical solution to this problem.”There are five separate vulnerabilities listed in CERT’s advisory, starting with “Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.” IOActive researchers published a five-page report [pdf] detailing the WeMo flaws, but warned in simple terms that the WeMo vulnerabilities “expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.”Additionally, once an attacker has established a connection to a WeMo device within a victim’s network; the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage.IOActive is far from the first to warn about WeMo’s hackability; in January 2013, researcher Daniel Buentello plugged a lamp into a WeMo switch and “made it blink like it was possessed, with the relay clicking on and off, faster and faster like it might blow up until it had a strobe effect.” In October 2013, a researcher highlighted security flaws in Belkin’s WeMo Switch, Wi-Fi NetCam and WeMo Baby that made eavesdropping easy. Of course it’s not just WeMo; at the 2013 Black Hat Home Invasion v2.0 presentation, Trustwave researchers discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge…as well as a $6,000 Satis smart toilet. In fact, hacking and attacking automated homes, targeting Zigbee and Z-wave wireless protocols, were hot topics in 2013 at Black Hat USA and Def Con. In August 2013, an attacker hacked a Foscam wireless IP camera to spy on and curse at a baby. TRENDnet IP cameras have been a Peeping Tom’s paradise since at least 2011.The Internet of Things is expected to be “roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined,” according to a forecast from BI Intelligence. There are currently about 1.9 billion IoT devices, but that’s predicted to reach 9 billion by 2018. Cisco predicts the IoT will grow to 50 billion devices by 2020. Have you ever stopped to wonder how many of those 9 – 50 billion IoT devices will be insecure and exploitable?Belkin had better get its head out of the sand and patch these holes lickety-split because you know not everyone will hear about the flaws or bother to toss out their WeMo investment even if they do. If half of the people don’t, and WeMo is hacked or were to cause fires in all those, about a quarter of a million homes…now that would be an ugly lawsuit. Get busy, Belkin!***Update: Belkin reached out and responded to me regarding this article. Unplugging your WeMo products won’t be necessary because Belkin fixed the security flaws. Here’s the good news and what Belkin WeMo home automation device owners need to know in order to be secure.Like this? Here’s more posts:How to easily encrypt email with Virtru for free: Gmail, Hotmail, Outlook, YahooSome gamers steamed over alleged Valve anti-cheat DNS spyingMicrosoft: Targeted phishing attacks allowed SEA to steal law enforcement documentsHow to customize Windows 8.1 Start screen and keyboard shortcut tricksMicrosoft surveys tech elites on online privacyMicrosoft finally gets a clue: Boot to desktop as default in Windows 8.1 updateSenator Rand Paul sues President Obama over NSA phone surveillanceMicrosoft to offer free 8GB of OneDrive storage if you refer friendsHow to change Windows 8.1 to local account with no Microsoft email account requiredEFF on cyber attack against hacktivists: CFAA for you; impunity for fedsSecurity expert publishes truth & tech details behind NBC’s Sochi hacking storyFollow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe