Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Belkin Says It Fixed WeMo Flaws Noted in IOActive Security Advisory

    By
    Sean Michael Kerner
    -
    February 20, 2014
    Share
    Facebook
    Twitter
    Linkedin

      Belkin International issued a statement late on Feb. 18 that it has fixed vulnerabilities in its WeMo line of home-electronics control devices that were reported by security research firm IOActive.

      Earlier on Feb. 18, IOActive issued a public advisory warning of vulnerabilities in Belkin’s WeMo connected home devices. The WeMo product line includes Internet connected light and power switches that enable users to remotely control their devices via IOS and Android mobile apps.

      U.S. CERT (Computer Emergency Response Team) issued its own vulnerability note on Feb. 18 that identified five vulnerabilities that could put WeMo users at risk.

      However, in a statement emailed to eWEEK late on Feb. 18 Belkin claimed it has resolved those vulnerabilities. “Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18,” Belkin’s statement said.

      CERT also updated its vulnerability note on Feb. 19 making note of the Belkin statement that it has fixed it products. The CERT note indicates that it was first notified of the WeMo issues on Oct. 24, 2013. In an interview with eWEEK on Feb. 18, Mike Davis, IOActive’s principal research scientist said that he was aware that Belkin received the vulnerability information, though as far he knew, Belkin had not followed up to make the fixes.

      However, Belkin asserted that on Feb. 18 that it had already issued the required fixes for the WeMo device firmware.

      “Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices,” Belkin said in a statement. “Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.”

      So what happened? Why didn’t IOActive know about Belkin’s actions and why did they release an advisory claiming unpatched flaws?

      IOActive sent a statement to eWEEK on the issue noting that that it is a longtime proponent of responsible disclosure and has coordinated the public disclosure of critical findings with US-CERT, which is within the Department of Homeland. IOActive also contends that co-ordination of vulnerability information and updates is the domain of CERT.

      “It is important that vendors or suppliers alerted to vulnerable systems by a CERT respond and provide updates on their progress in remediating or mitigating any vulnerabilities back to their CERT point of contact,” IOActive noted in its statement. “The responsibility for responding to CERT falls exclusively on the vendor/supplier.”

      On Feb. 18, IOActive’s Davis told eWEEK that as far as he knew there is no safe configuration with the WeMo device firmware as is. He added that, “without a clear accounting of how these issues were addressed, we would continue recommending that they be disconnected from the network.”

      However, in light of Belkin’s statement, IOActive modified its position on the company’s WeMo products. In its Feb. 19 statement, IOActive reported that it is ‘delighted’ that Belkin has acted on five of CERT’s stated vulnerabilities.

      “While there are other documented concerns, Belkin is headed in the right direction,” IOActive stated. “It is not IOActive’s practice to recheck or certify fixes that may be offered by the vulnerable vendor in response to a CERT notification.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×