-
Welcome Guest!
Did you know that you can enjoy many members-only features simply by quickly registering (no CAPTCHA!)?
Registering gives you access to our giveaways, forum features, increased search performance, access to our Download Library, create your own blog & gallery, and more!
Once you have registered, stop by in 'Hello World', and introduce yourself.
Categories See All →
Search Articles
Recent Articles
-
Inovelli Z-Wave Switch ReviewBraveSirRobbin - Jun 23 2019 03:59 PM
-
Amazon Expanding Alexa SmartHome TeamDan (electron) - Mar 31 2017 10:35 AM
-
Luna: Turn Your Bed into a Smartbed
Dan (electron) - Jan 27 2015 06:35 PM
-
HomeSeer unveils Z-NET
BraveSirRobbin - Jan 07 2015 11:01 PM
-
Fun with Cell Phone Voice Alerts!Work2Play - Dec 14 2014 07:49 AM
Recent Files
-
Not Your Mother's ABchucklyons - Mar 28 2019 11:21 PM
-
RadioRA2 Driver
JimSpr - Jan 26 2019 06:16 AM
-
HomeSeer HS3 Connector Module
doczaius - Jun 15 2016 08:17 AM
-
Philips Hue
etc6849 - May 13 2016 03:00 PM
-
Custom.js
chucklyons - May 13 2016 08:20 AM
Recent Entries
-
The end of an era for mejwilson56 - Aug 23 2019 01:47 PM
-
Updating GDO Security+ 2.0 MyQ Door Control Push Button for use with OP2/Elk panelspete_c - Feb 04 2019 04:15 PM
-
Home-Assistant Alexa Media Player options
pete_c - Feb 02 2019 03:39 PM
-
Kodi 17 - Ubuntu 18.04 - VPN client plugin Installation
pete_c - Nov 11 2018 05:35 PM
-
Kodi 17 - Ubuntu 18.04 - MCE Remote
pete_c - Jul 15 2018 01:02 PM
0
Belkin WeMo Home Automation devices contain multiple vulnerabilities (CERT ID 656302)
Feb 18 2014 02:55 PM |
Dan (electron)
in News
Security Notice
Overview
Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952
Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.
CWE-494: Download of Code Without Integrity Check - CVE-2013-6951
Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-6950
Belkin Wemo Home Automation firmware distribution feed does not use SSL encryption.
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') - CVE-2013-6949
Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2013-6948
Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peerAddresses API can be attacked through XML injection, which may reveal the contents of system files.
Additional details may be found in the IOActive advisory. Impact
A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device. Solution
We are currently unaware of a practical solution to this problem.
Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952
Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware update.
CWE-494: Download of Code Without Integrity Check - CVE-2013-6951
Belkin Wemo Home Automation devices do not have a local Certificate store to verify the integrity of SSL connections.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-6950
Belkin Wemo Home Automation firmware distribution feed does not use SSL encryption.
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') - CVE-2013-6949
Belkin Wemo Home Automation devices use STUN & TURN protocols. An attacker with control of one Wemo device may be able to use the STUN & TURN protocols to relay connections to any other Wemo device.
CWE-611: Improper Restriction of XML External Entity Reference ('XXE') - CVE-2013-6948
Belkin Wemo Home Automation API server contains a XML injection vulnerability. The peerAddresses API can be attacked through XML injection, which may reveal the contents of system files.
Additional details may be found in the IOActive advisory. Impact
A remote unauthenticated attacker may be able to sign malicious firmware, relay malicious connections, or access device system files to potentially gain complete access to the device. Solution
We are currently unaware of a practical solution to this problem.
2 Comments
The IOActive (and corresponding CVEs) paper describes some very basic security vulnerabilities. The Wemo product is predicated on Internet-of-things, so it’s hard to understand why some pen-testing wasn’t conducted prior to releasing devices. Belkin is a networking company, so you would have thought they “get it.”
What is a bit disconcerting is that a security researcher notified Belkin on Oct. 24. Belkin took four months to patch the SSL firmware verification vulnerability. When a security research company decides to publish its own research bulletin without published patches available, it says something about the security process for embedded product.
The 1990’s standard answer to hide insecure devices behind a firewall is not going to hold water long-term.