WeMo Vulnerabilities Latest Example of IoT Security Risks

Just as with the growth of smartphones, the increasing number of Internet-connected devices presents opportunities for hackers and security risks.

The “Internet of Hackable Things” has already exposed vulnerabilities in IoT devices, including baby monitors, LED lights, TVs and refrigerators. The growing number of connected devices means there is more intersection of networks, devices, operating systems, vendors, applications and commands, making it harder to control and easier to attack. An IOActive security advisory recently revealed vulnerabilities in Belkin WeMo products and devices built on the WeMo firmware. The security researchers are advising people to stop using these products because attackers can take control of home networks, thermostats or other connected devices.

WeMo is a family of products that allow users to control home electronics from anywhere via a smartphone and home Wi-Fi and mobile Internet. It powers the idea of home automation, where walking into a room can trigger a light switch, walking out can turn a lamp off, and users can control their heat, air conditioning and more when they’re not even in their home. It also integrates with If This Then That (IFTTT), an application that allows users to build “recipes,” or customized notifications and triggers. For example, if a sensor at the front door is triggered, then you will receive an email. Or if the sun sets, then the hallway lamp goes on.

Those are examples of how the Internet of Things will change many parts of everyday lives, reducing costs, saving time and improving productivity. However, with this convenience comes a cost.

The advisory recommends against using these devices because they pose a threat for multiple part of users’ lives. Hackers can remotely power on or off devices, which could mean unnoticed fires or wasted electricity. They can also remotely monitor whether people are in a home, or use the WeMo devices as a gateway to hack into other devices.

Mike Davis, principal research scientist for IOActive, explained that “too much connectivity and too many ‘smart’ features” are among the biggest threats from the IoT.

“When you give a device software control of real world items, they become a tempting target. And without real security engineering and testing, it is a disaster waiting to happen (or at least a house fire or two),” he said.

To prevent hackers or data breaches, Davis recommends performing a security assessment and penetration test. This should also be repeated when new features are added to ensure security.

There are basically four vulnerabilities that make these situations possible for attackers:

• The Belkin WeMo firmware images used to update the devices are signed with public key encryption to protect against unauthorized modifications. However, the signing key and password are leaked on the firmware that is already installed on the deivces, so attackers can use the same key and password to sign their own malicious firmware and bypass security checks.
• WeMo devices do not validate Secure Socket Layer (SSL) certificates preventing them from validating communications with Belkin’s cloud service. Attackers can use any SSL certificate to impersonate Belkin’s cloud services and push malicious firmware updates and capture credentials at the same time.
• The Internet communication infrastructure used for WeMo devices to communicate I based on an abused protocol designed for VoIP services to bypass firewall or NAT restrictions. This compromised all WeMo devices security by creating a virtual WeMo “darknet” where all WeMo devices can be connected to directly and controlled even without the firmware update attack.
• The Belkin WeMo server application programming interface (API) was also found to be vulnerable to an XML inclusion vulnerability, which would allow attackers to compromise all WeMo devices.

“My hope is that the average user would be more careful about selecting Internet-connected products,” Davis said. “Maybe controlling your heater from your smartphone is a bad idea - maybe you should just get out of bed to start that pot of coffee.  I think we’re in a real danger of the market being flooded with poorly designed products, and with no real security plan, just because its ‘cool’ and has a pretty app.”

IOActive provides software, hardware and some compliance testing and review for its customers. Usually this is a process that happens just prior to product release, or in many case as part of the product design lifecycle. The company’s security services also specialize in smart grid technologies, software assurance and compliance. Learn more at www.ioactive.com.