Did you know that you can enjoy many members-only features simply by quickly registering (no CAPTCHA!)?
Registering gives you access to our giveaways, forum features, increased search performance, access to our Download Library, create your own blog & gallery, and more!
Once you have registered, stop by in 'Hello World', and introduce yourself.
View Other Content
Categories See All →
Belkin WeMo Home Automation devices contain multiple vulnerabilities (CERT ID 656302)Security Notice
Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952
Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.
CWE-494: Download of Code Without Integrity Check - CVE-2013-6951
Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-6950
Belkin Wemo Home Automation firmware distribution feed does not use SSL encryption.
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') - CVE-2013-6949
Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2013-6948
Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peerAddresses API can be attacked through XML injection, which may reveal the contents of system files.
Additional details may be found in the IOActive advisory. Impact
A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device. Solution
We are currently unaware of a practical solution to this problem.