• United States



Belkin fixes WeMo security holes, updates firmware and app

Feb 19, 20145 mins
Data and Information SecurityMicrosoftSecurity

Belkin issued fixes for the five security vulnerabilities listed in the CERT advisory.

If you’ve made the decision to try home automation and WeMo, then you might have noticed that Belkin WeMo is like a potato chip; you can’t have just one. If you try it and like it, then the next thing you know, you have all sorts of WeMo devices.

If that describes you, then you were probably a pretty unhappy camper after being told that Belkin chose not to respond about the security holes and therefore you should unplug your WeMo products. That won’t be necessary, according to Leah Polk, Senior Global Public Relations Manager at Belkin.

Yesterday, U.S. CERT issued an advisory for five vulnerabilities in WeMo devices; CERT was “unaware of a practical solution.” IOActive researchers had uncovered the WeMo security flaws that “could affect over half a million users” and reported the vulnerabilities to CERT. IOActive said CERT “made several attempts to contact Belkin about the issues, however, Belkin was unresponsive. Due to Belkin not producing any fixes for the issues discussed, IOActive felt it important to release an advisory and recommends unplugging all devices from the affected WeMo products.”

But Belkin said it did close the holes in WeMo, so you should be secure if you have the latest app and firmware updated to version 3949. Here’s Belkin’s official position on the issue:

Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.

 Specific fixes Belkin has issued include:

 1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.

 2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack.

3)  An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update. 

WeMo setup “Internet not available” error on Samsung Galaxy S4, Note 2, Note 3

Here’s one more little WeMo troubleshooting tidbit in case you have a Samsung Galaxy S4, likely the upcoming Galaxy S5, Galaxy Note 2 or Galaxy Note 3, as setup that should take minutes can instead stretch into hours. WeMo became Android-friendly this last summer, but setup can be seriously strange on Samsung Galaxy devices.

In theory, after installing the Android app, you simply plug in your WeMo, tap Wi-Fi and wait for to show up. Tap it, then open the WeMo app, which will verify that you are connected and ask for you to select your Wi-Fi network and input your password. After the app connects, and you give the WeMo device a custom name, you will be informed about any firmware updates. Make sure you update to stay secure. You can then create rules within the app, setup remote access, or connect your WeMo switch, motion detector, or light switch to IFTTT (If This/Then That).

If you are on a Samsung device, such as Galaxy Note 3, setup is not that easy. Instead, you will try to connect to the WeMo app and get an “Internet not available” error before the phone jumps back on your default Wi-Fi. You can try resetting your WeMo device, rebooting the router, uninstalling and reinstalling the WeMo app and even restarting your phone, as suggested here, but after (in case) those all fail, then your best bet is to borrow someone’s device that is not a Samsung Galaxy for WeMo setup.

So far, after setting up five different WeMo devices via other Android or iOS devices, once you have connected to the network, then when you open the WeMo app on Galaxy Note 3, it simply opens and works. While that may not sound like much of an issue, after your five minute setup turns into hours of frustration, you will be glad to find a fix. Just, I’m sure, as you are glad Belkin closed the security holes in WeMo.

Like this? Here’s more posts:

  • How to easily encrypt email with Virtru for free: Gmail, Hotmail, Outlook, Yahoo
  • Some gamers steamed over alleged Valve anti-cheat DNS spying
  • Microsoft: Targeted phishing attacks allowed SEA to steal law enforcement documents
  • How to customize Windows 8.1 Start screen and keyboard shortcut tricks
  • Microsoft surveys tech elites on online privacy
  • Microsoft finally gets a clue: Boot to desktop as default in Windows 8.1 update
  • Senator Rand Paul sues President Obama over NSA phone surveillance
  • Microsoft to offer free 8GB of OneDrive storage if you refer friends
  • How to change Windows 8.1 to local account with no Microsoft email account required
  • EFF on cyber attack against hacktivists: CFAA for you; impunity for feds
  • Security expert publishes truth & tech details behind NBC’s Sochi hacking story

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.