ROUTER MAKER Belkin has released security patches to fix vulnerabilities in its Wemo Home Automation systems that allowed hackers to remotely control attached devices.
Seattle security company IOactive warned on Tuesday that the vulnerabilties could enable a variety of attacks such as potential blackouts or home fires, potentially affecting over half a million customers.
The range of attacks that attackers could employ included the potential to remotely control Wemo Home Automation attached devices over the internet, perform malicious firmware updates, remotely monitor the devices and access an internal home network.
"Belkin's Wemo uses WiFi and the mobile internet to control home electronics anywhere in the world directly from the user's smartphone," IOactive principal research scientist Mike Davis said in a company blog post on Tuesday. "The vulnerabilities found within the Belkin Wemo devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity."
After attackers compromise the Wemo systems, Davis said they can be used to remotely turn attached devices on and off at any time. Given the number of Wemo systems in use, it is highly likely that many of the attached appliances and devices will be unattended, thus increasing the threat posed by these vulnerabilities.
"Additionally, once an attacker has established a connection to a Wemo device within a victim's network, the device can be used as a foothold to attack other devices such as laptops, mobile phones, and attached network file storage," he added.
Another concern is that the Wemo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy of the home.
"As we connect our homes to the internet, it is increasingly important for internet of things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles," Davis said. "This mitigates their customer's exposure and reduces risk."
The day that IOactive wrote the blog post about the vulnerability, the CERT division of the Carnegie Mellon Software Engineering Institute (SEI) confirmed its fears regarding the possible threats and posted an advisory about the five vulnerabilities.
According to SEI, the Belkin flaws entail a vulnerability in the Wemo Home Automation firmware, where hard-coded cryptographic keys could be used by an attacker to sign a malicious firmware update.
We contacted Belkin regarding the issue today, which said it has corrected the five potential vulnerabilities affecting its Wemo systems and has issued fixes via in-app notifications and updates.
"Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of Wemo devices from unauthorized devices," Belkin said. "Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app."
The fixes include an update to the Wemo API server that prevents an XML injection attack from gaining access to other Wemo devices, an update to the Wemo firmware that adds SSL encryption and validation to the Wemo firmware distribution feed, and finally, an update to the Wemo app for both iOS and Android, which contains the most recent firmware update. µ