Belkin's WeMo Connected Home Devices Vulnerable to Takeover: IOactive
As the number of Internet-connected devices, including those within the home, escalates, there are growing concerns about security risks. Security firm IOActive revealed Feb. 18 that it discovered multiple vulnerabilities in Belkin's WeMo connected home devices.
The WeMo devices—which include Internet-connected power and light switches that enable users to control their plugged-in devices over the Internet via iOS and Android apps—are vulnerable to multiple risks that could enable an attacker to control a user's device, add malicious firmware updates or even gain access to a user's home network, according to IOActive.
IOActive first contacted the U.S. Computer Emergency Response Team (CERT) on Oct 23, and CERT contacted Belkin on Oct 24, said Mike Davis, IOActive's principal research scientist.
"We can confirm Belkin got the vulnerability information, as a member of the Belkin team contacted me via LinkedIn; we discussed the vulnerabilities, but they didn't follow up on it," Davis told eWEEK.
Belkin was unable to provide a comment to eWEEK by press time about the IOActive security issues.
IOActive reported that the WeMo devices could potentially be infected with malicious updates. According to IOActive's research, the WeMo firmware updates are secured with public key encryption to protect against unauthorized modifications. The problem is that the signing key is available on the device itself.
The WeMo updates occur via a connection to Belkin—which is done by insecure Domain Name System (DNS) requests that are easily hijacked, Davis said.
"This wouldn't be a problem if it weren't for the lack of SSL [Secure Sockets Layer] signature checking on the firmware upgrade link," Davis said. "So at this point, if the firmware is correctly signed, the device has no way of knowing it has received a malicious update."
There are multiple ways that a device can check to see if an SSL certificate is in fact valid. What is needed, Davis said, is simple checking that the certificate wasn't self-signed, and that the certificate was signed by a valid certificate authority.
Belkin's WeMo is using a protocol to communicate with devices in a manner that is not particularly secure, Davis said. Session Traversal Utilities for Network Address Translation (STUN) and the associated Traversal Using Relays around Network Address Translation (TURN) are being misused.
"They are misusing a subproject of the Asterisk open-source project, which provides a STUN/TURN proxy reference implementation," Davis said. "The current configuration Belkin is running, essentially using STUN/TURN to create a virtual VPN of the Belkin device, was never considered in the proxies' security model."
While there are risks in the WeMo security model, Davis said that he has zero evidence that someone is hacking away at the Belkin network.
"This was just a fun project I tinkered with once Amazon offered me the light switch for sale," Davis said. "But if I were being perfectly honest here, I'm surprised that no one else reported this issue while we took a glacial pace in releasing this due to unresponsiveness from the vendor."
From a threat-mitigation perspective, there isn't much a WeMo user can do to limit the risk. One possibility is to put the WeMo devices on their own subnet, restricting the ability of the WeMo devices to interact with the rest of the home network. That said, if the concern is that an attacker may control the user's power switch remote, that is still a problem, Davis said.
"Right now, we're saying that there is no safe configuration with the device firmware as it is," Davis said. "And without a clear accounting of how these issues were addressed, we would continue recommending that they be disconnected from the network."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.