UPDATE: Belkin has now released a fix for the security issues mentioned below. To remedy the issue, Belkin urges WeMo users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.1.2) and then upgrade the firmware version through the app. Find more information here
According to a recently-released study from security research firm IOActive, nearly half a million Belkin WeMo devices may be vulnerable to attackers.
In a number of different experiments, the WeMo line – which includes things like remotely-controlled switches, plugs, and motion sensors for home automation – was shown to have a variety of different security flaws that give hackers the ability to:
- Remotely control WeMo devices over the Internet
- Perform malicious firmware updates
- Remotely monitor devices
- Access an internal home network
Obviously, this is bad news for Belkin, but it’s even worse news for anyone who currently has a WeMo device in their house. If these vulnerabilities are legitimate, it means that once attackers have compromised a device, they’re free to remotely turn WeMo-connected appliances on or off at will. Depending on the gear users have connected to their WeMos, this could lead to something as harmless as some wasted electricity, or as dangerous as a house fire. On top of that, WeMo motion sensors could be used to remotely monitor a house. This could make a home an easy target for tech-savvy burglars who can use a compromised WeMo to determine when people are in that house, and when they aren’t.
Additionally, once an attacker has established a connection to a WeMo device within a victim’s network, the compromised device can be used as a foothold to attack other devices on your home network – including things like laptops, mobile phones, network-attached storage, or home automation devices.
Mike Davis, IOActive’s principal research scientist, had this to say about the findings:
“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk.”
We couldn’t agree more.
IOActive has reached out to Belkin for comments on the issue, but has yet to receive a response. For the time being, we recommend that you unplug any WeMo devices you may own and check back for updates.
We’ll keep you posted should any security patches be released.
[via Help Net Security]