Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Mobile
    • Networking

    Belkin’s WeMo Connected Home Devices Vulnerable to Takeover: IOactive

    By
    Sean Michael Kerner
    -
    February 19, 2014
    Share
    Facebook
    Twitter
    Linkedin
      security risk

      As the number of Internet-connected devices, including those within the home, escalates, there are growing concerns about security risks. Security firm IOActive revealed Feb. 18 that it discovered multiple vulnerabilities in Belkin’s WeMo connected home devices.

      The WeMo devices—which include Internet-connected power and light switches that enable users to control their plugged-in devices over the Internet via iOS and Android apps—are vulnerable to multiple risks that could enable an attacker to control a user’s device, add malicious firmware updates or even gain access to a user’s home network, according to IOActive.

      IOActive first contacted the U.S. Computer Emergency Response Team (CERT) on Oct 23, and CERT contacted Belkin on Oct 24, said Mike Davis, IOActive’s principal research scientist.

      “We can confirm Belkin got the vulnerability information, as a member of the Belkin team contacted me via LinkedIn; we discussed the vulnerabilities, but they didn’t follow up on it,” Davis told eWEEK.

      Belkin was unable to provide a comment to eWEEK by press time about the IOActive security issues.

      IOActive reported that the WeMo devices could potentially be infected with malicious updates. According to IOActive’s research, the WeMo firmware updates are secured with public key encryption to protect against unauthorized modifications. The problem is that the signing key is available on the device itself.

      The WeMo updates occur via a connection to Belkin—which is done by insecure Domain Name System (DNS) requests that are easily hijacked, Davis said.

      “This wouldn’t be a problem if it weren’t for the lack of SSL [Secure Sockets Layer] signature checking on the firmware upgrade link,” Davis said. “So at this point, if the firmware is correctly signed, the device has no way of knowing it has received a malicious update.”

      There are multiple ways that a device can check to see if an SSL certificate is in fact valid. What is needed, Davis said, is simple checking that the certificate wasn’t self-signed, and that the certificate was signed by a valid certificate authority.

      Belkin’s WeMo is using a protocol to communicate with devices in a manner that is not particularly secure, Davis said. Session Traversal Utilities for Network Address Translation (STUN) and the associated Traversal Using Relays around Network Address Translation (TURN) are being misused.

      “They are misusing a subproject of the Asterisk open-source project, which provides a STUN/TURN proxy reference implementation,” Davis said. “The current configuration Belkin is running, essentially using STUN/TURN to create a virtual VPN of the Belkin device, was never considered in the proxies’ security model.”

      Risks

      While there are risks in the WeMo security model, Davis said that he has zero evidence that someone is hacking away at the Belkin network.

      “This was just a fun project I tinkered with once Amazon offered me the light switch for sale,” Davis said. “But if I were being perfectly honest here, I’m surprised that no one else reported this issue while we took a glacial pace in releasing this due to unresponsiveness from the vendor.”

      From a threat-mitigation perspective, there isn’t much a WeMo user can do to limit the risk. One possibility is to put the WeMo devices on their own subnet, restricting the ability of the WeMo devices to interact with the rest of the home network. That said, if the concern is that an attacker may control the user’s power switch remote, that is still a problem, Davis said.

      “Right now, we’re saying that there is no safe configuration with the device firmware as it is,” Davis said. “And without a clear accounting of how these issues were addressed, we would continue recommending that they be disconnected from the network.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×