Belkin International issued a statement late on Feb. 18 that it has fixed vulnerabilities in its WeMo line of home-electronics control devices that were reported by security research firm IOActive.
Earlier on Feb. 18, IOActive issued a public advisory warning of vulnerabilities in Belkin’s WeMo connected home devices. The WeMo product line includes Internet connected light and power switches that enable users to remotely control their devices via IOS and Android mobile apps.
U.S. CERT (Computer Emergency Response Team) issued its own vulnerability note on Feb. 18 that identified five vulnerabilities that could put WeMo users at risk.
However, in a statement emailed to eWEEK late on Feb. 18 Belkin claimed it has resolved those vulnerabilities. “Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18,” Belkin’s statement said.
CERT also updated its vulnerability note on Feb. 19 making note of the Belkin statement that it has fixed it products. The CERT note indicates that it was first notified of the WeMo issues on Oct. 24, 2013. In an interview with eWEEK on Feb. 18, Mike Davis, IOActive’s principal research scientist said that he was aware that Belkin received the vulnerability information, though as far he knew, Belkin had not followed up to make the fixes.
However, Belkin asserted that on Feb. 18 that it had already issued the required fixes for the WeMo device firmware.
“Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices,” Belkin said in a statement. “Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.”
So what happened? Why didn’t IOActive know about Belkin’s actions and why did they release an advisory claiming unpatched flaws?
IOActive sent a statement to eWEEK on the issue noting that that it is a longtime proponent of responsible disclosure and has coordinated the public disclosure of critical findings with US-CERT, which is within the Department of Homeland. IOActive also contends that co-ordination of vulnerability information and updates is the domain of CERT.
“It is important that vendors or suppliers alerted to vulnerable systems by a CERT respond and provide updates on their progress in remediating or mitigating any vulnerabilities back to their CERT point of contact,” IOActive noted in its statement. “The responsibility for responding to CERT falls exclusively on the vendor/supplier.”
On Feb. 18, IOActive’s Davis told eWEEK that as far as he knew there is no safe configuration with the WeMo device firmware as is. He added that, “without a clear accounting of how these issues were addressed, we would continue recommending that they be disconnected from the network.”
However, in light of Belkin’s statement, IOActive modified its position on the company’s WeMo products. In its Feb. 19 statement, IOActive reported that it is ‘delighted’ that Belkin has acted on five of CERT’s stated vulnerabilities.
“While there are other documented concerns, Belkin is headed in the right direction,” IOActive stated. “It is not IOActive’s practice to recheck or certify fixes that may be offered by the vulnerable vendor in response to a CERT notification.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
