500,000 Belkin WeMo users could be hacked; CERT issues advisory

When U.S. CERT comes knocking, it seems unwise for a company to stick its head in the sand and hide. But that’s reportedly what happened when the CERT division of the Carnegie Mellon Software Engineering Institute tried to contact Belkin about numerous vulnerabilities discovered in Belkin WeMo home automation devices.

CERT was contacted by researchers from IOActive after they uncovered “multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users.” Since Belkin failed to issue a fix for any of the flaws, IOActive “recommends unplugging all devices from the affected WeMo products.”

If you’ve dropped any money into WeMo products, such as Belkin WeMo switch and motion, WeMo Light switch, Insight switch and WeMo switch, then you are probably not pleased or fond of the idea of unplugging your WeMo versions of home automation. With apps for both Android and iOS to make setup quick and easy, WeMo products are some of the most popular home automation devices on the market. However, according to the CERT advisory for WeMo, “A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.” Furthermore, “We are currently unaware of a practical solution to this problem.”

There are five separate vulnerabilities listed in CERT’s advisory, starting with “Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.”

IOActive researchers published a five-page report [pdf] detailing the WeMo flaws, but warned in simple terms that the WeMo vulnerabilities “expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.”

Additionally, once an attacker has established a connection to a WeMo device within a victim’s network; the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage.

IOActive is far from the first to warn about WeMo’s hackability; in January 2013, researcher Daniel Buentello plugged a lamp into a WeMo switch and “made it blink like it was possessed, with the relay clicking on and off, faster and faster like it might blow up until it had a strobe effect.” In October 2013, a researcher highlighted security flaws in Belkin’s WeMo Switch, Wi-Fi NetCam and WeMo Baby that made eavesdropping easy.

Of course it’s not just WeMo; at the 2013 Black Hat Home Invasion v2.0 presentation, Trustwave researchers discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge…as well as a $6,000 Satis smart toilet. In fact, hacking and attacking automated homes, targeting Zigbee and Z-wave wireless protocols, were hot topics in 2013 at Black Hat USA and Def Con. In August 2013, an attacker hacked a Foscam wireless IP camera to spy on and curse at a baby. TRENDnet IP cameras have been a Peeping Tom’s paradise since at least 2011.

The Internet of Things is expected to be “roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined,” according to a forecast from BI Intelligence. There are currently about 1.9 billion IoT devices, but that’s predicted to reach 9 billion by 2018. Cisco predicts the IoT will grow to 50 billion devices by 2020. Have you ever stopped to wonder how many of those 9 – 50 billion IoT devices will be insecure and exploitable?

Belkin had better get its head out of the sand and patch these holes lickety-split because you know not everyone will hear about the flaws or bother to toss out their WeMo investment even if they do. If half of the people don’t, and WeMo is hacked or were to cause fires in all those, about a quarter of a million homes…now that would be an ugly lawsuit. Get busy, Belkin!

***Update: Belkin reached out and responded to me regarding this article. Unplugging your WeMo products won’t be necessary because Belkin fixed the security flaws. Here’s the good news and what Belkin WeMo home automation device owners need to know in order to be secure.

Like this? Here’s more posts:

• How to easily encrypt email with Virtru for free: Gmail, Hotmail, Outlook, Yahoo
• Some gamers steamed over alleged Valve anti-cheat DNS spying
• Microsoft: Targeted phishing attacks allowed SEA to steal law enforcement documents
• How to customize Windows 8.1 Start screen and keyboard shortcut tricks
• Microsoft surveys tech elites on online privacy
• Microsoft finally gets a clue: Boot to desktop as default in Windows 8.1 update
• Senator Rand Paul sues President Obama over NSA phone surveillance
• Microsoft to offer free 8GB of OneDrive storage if you refer friends
• How to change Windows 8.1 to local account with no Microsoft email account required
• EFF on cyber attack against hacktivists: CFAA for you; impunity for feds
• Security expert publishes truth & tech details behind NBC’s Sochi hacking story

Follow me on Twitter @PrivacyFanatic