Jump to content

- - - - -

Belkin WeMo Home Automation devices contain multiple vulnerabilities (CERT ID 656302)

Security Notice

It just keeps getting better.  Mike Davis @ IOActive posted a document about several major security issues discovered within the Belkin WeMo platform.  It's so bad CERT actually posted a bulletin about it.
While I don't want people's homes to be compromised, I can't say I'm surprised, considering how many people are trusting internet based services to control all aspects of their home, or punching holes through their firewall for remote access to alarm systems, etc.
See below for the CERT bulletin.
Belkin Wemo Home Automation devices contain multiple vulnerabilities.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952

Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.

CWE-494: Download of Code Without Integrity Check - CVE-2013-6951
Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections.

CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-6950
Belkin Wemo Home Automation firmware distribution feed does not use SSL encryption.

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') - CVE-2013-6949
Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2013-6948
Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peerAddresses API can be attacked through XML injection, which may reveal the contents of system files.

Additional details may be found in the IOActive advisory.
A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device.
We are currently unaware of a practical solution to this problem.



Hopefully this will make it easy to upload alternative firmware.
Feb 19 2014 12:40 AM

The IOActive (and corresponding CVEs) paper describes some very basic security vulnerabilities. The Wemo product is predicated on Internet-of-things, so it’s hard to understand why some pen-testing wasn’t conducted prior to releasing devices. Belkin is a networking company, so you would have thought they “get it.”


What is a bit disconcerting is that a security researcher notified Belkin on Oct. 24. Belkin took four months to patch the SSL firmware verification vulnerability.  When a security research company decides to publish its own research bulletin without published patches available, it says something about the security process for embedded product.


The 1990’s standard answer to hide insecure devices behind a firewall is not going to hold water long-term.