Security researchers have taken the unusual step of recommending that people stop using Belkin’s WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.
WeMo products allow people to use smartphones and computers to remotely control light switches, Web cams, motion sensors, and other home appliances. Now the items are exposing the password and cryptographic signing key used to ensure that firmware updates are valid, according to an advisory published Tuesday by researchers from security firm IOActive. Attackers can use the credentials to bypass WeMo security checks and sign malicious firmware that masquerades as an official release from Belkin.
WeMo devices also fail to validate secure socket layer certificates when connecting to Belkin servers, even when the devices are running firmware that’s fully up-to-date. What’s more, firmware update notices are delivered through handsets or computers paired with the WeMo products and use a non-encrypted channel. IOActive Principle Research Scientist Mike Davis said he was able to combine exploits for those weaknesses into an attack that spoofed the RSS feed Belkin uses to push firmware updates to WeMo products. The counterfeit feeds, in turn, surreptitiously infected the devices with malware.
Unfettered access
The malware gains unfettered root access to the WeMo device and allows attackers to send commands to connected appliances. Attackers can also change the state of a connected device by exploiting a separate flaw in the universal plug and play implementation. A video demonstration posted last month shows how such an attack can be used to repeatedly turn on and off a small desk lamp. More malicious hacks could do similar things to heaters or other connected devices in the home. The vulnerabilities pose a risk because they could allow attackers to tamper with motion sensors used in home security systems, IOActive said.
Full Story: Password leak in WeMo devices makes home appliances susceptible to hijacks | Ars Technica.