Categories See All →
Search Articles
Recent Articles
-
Inovelli Z-Wave Switch Review
BraveSirRobbin - Jun 23 2019 03:59 PM
-
Amazon Expanding Alexa SmartHome Team
Dan (electron) - Mar 31 2017 10:35 AM
-
Luna: Turn Your Bed into a Smartbed
Dan (electron) - Jan 27 2015 06:35 PM
-
HomeSeer unveils Z-NET
BraveSirRobbin - Jan 07 2015 11:01 PM
-
Fun with Cell Phone Voice Alerts!
Work2Play - Dec 14 2014 07:49 AM
Recent Files
-
HAI_Omni-Link_II_Protocol_Rev_3.0
pete_c - Mar 06 2021 07:21 AM
-
SysEventBroker_with_AV
chucklyons - Apr 22 2020 03:02 PM
-
Generic_Russound_pr4zi
chucklyons - Dec 03 2019 02:39 PM
-
Not Your Mother's AB
chucklyons - Mar 28 2019 11:21 PM
-
RadioRA2 Driver
JimSpr - Jan 26 2019 06:16 AM
Recent Entries
-
Gas cutoff system
keepersg - Nov 22 2020 10:08 AM
-
Rebuilding new old NAS box
pete_c - May 15 2020 07:01 AM
-
The end of an era for me
jwilson56 - Aug 23 2019 01:47 PM
-
Updating GDO Security+ 2.0 MyQ Door Control Push Button for use with OP2/Elk panels
pete_c - Feb 04 2019 04:15 PM
-
Home-Assistant Alexa Media Player options
pete_c - Feb 02 2019 03:39 PM

Belkin WeMo Home Automation devices contain multiple vulnerabilities (CERT ID 656302)
Feb 18 2014 02:55 PM |
Dan (electron)
in News
Security NoticeBelkin Wemo Home Automation devices contain multiple vulnerabilities. Description
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952
Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.
CWE-494: Download of Code Without Integrity Check - CVE-2013-6951
Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-6950
Belkin Wemo Home Automation firmware distribution feed does not use SSL encryption.
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') - CVE-2013-6949
Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2013-6948
Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peerAddresses API can be attacked through XML injection, which may reveal the contents of system files.
Additional details may be found in the IOActive advisory. Impact
A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device. Solution
We are currently unaware of a practical solution to this problem.
2 Comments
The IOActive (and corresponding CVEs) paper describes some very basic security vulnerabilities. The Wemo product is predicated on Internet-of-things, so it’s hard to understand why some pen-testing wasn’t conducted prior to releasing devices. Belkin is a networking company, so you would have thought they “get it.”
What is a bit disconcerting is that a security researcher notified Belkin on Oct. 24. Belkin took four months to patch the SSL firmware verification vulnerability. When a security research company decides to publish its own research bulletin without published patches available, it says something about the security process for embedded product.
The 1990’s standard answer to hide insecure devices behind a firewall is not going to hold water long-term.