MAJOR security flaw found in Belkin WeMo, "deathtrap"

Hey Folks, I saw this today on Hackaday. An enterprising hacker has figured out to gain remote control over WeMo devices. Not only can he scan the internet for WeMo devices, hack in to your house's devices, and turn the power on or off, the WeMo is actually capable of switching the load on and off dozens of times per second, which means he can send the device in to an extreme power cycle loop that can start fires in things like space heaters and motors.
 
Wow...I hope they are able to fix this for the people who already bought their devices!
 
http://hackaday.com/2013/01/31/turning-the-belkin-wemo-into-a-deathtrap/
 
http://www.youtube.com/watch?feature=player_embedded&v=BcW2q0aHOFo

That didn't take long...

Looks like they are 'sniffing' for the traffic on a certain port?
 
Bad thing is about Belkin's WeMo is you HAVE to go outside your network to the cloud to switch anything on and off.  This means an awful lot of traffic is going outside your home's network.  PLUS, you have no other choice as that is the way it is designed to work.  In other words, even if you wanted to make it secure and keep the traffic from going outside your firewall, you can't!
 
Of course, what this hacker should do is incorporate this methodology into a home automation system so we would finally have IP based switches AND be able to secure the traffic with our own brewed automation software!

On the flipside, you can now write programs that execute on the wemo and do whatever you want.  Looks like a relatively powerful embedded linux system.  Dropbear was on there.  This is pretty great.  As for "scanning the internet" this is a uPnP flaw so I doubt it is going to work outside the LAN.
 
http://www.kb.cert.org/vuls/id/922681

BraveSirRobbin said:

Of course, what this hacker should do is incorporate this methodology into a home automation system so we would finally have IP based switches AND be able to secure the traffic with our own brewed automation software!

Click to expand...

 
I like this idea, but of course it enters us into a cat and mouse game with the manufacturer, and that isn't guaranteed to end well for purchasers.

This is exactly why I've been saying IP-connected home automation hardware is a bad idea. Every system has bugs and security issues. But if the security issue is in your light switches, when a problem is discovered what are your options? Replace all of them? At best, if the manufacturer has designed in the capability, you'll have to go around and flash new firmware in every device.
 
If your hardware is running its own protocol (Insteon, UPB, Zwave, whatever -- anything that's not IP), you can still have a security issue but it will be limited to the single device that is your bridge between home automation and the internet. You have one single device to upgrade or replace.

jdale said:

This is exactly why I've been saying IP-connected home automation hardware is a bad idea. Every system has bugs and security issues. But if the security issue is in your light switches, when a problem is discovered what are your options? Replace all of them? At best, if the manufacturer has designed in the capability, you'll have to go around and flash new firmware in every device.
 
If your hardware is running its own protocol (Insteon, UPB, Zwave, whatever -- anything that's not IP), you can still have a security issue but it will be limited to the single device that is your bridge between home automation and the internet. You have one single device to upgrade or replace.

Click to expand...

 
That's easily accomplished in the IP world by using a dedicated port other than 80. That way your router can block all outside access directly to that port, and with it any hack attempts to the hardware devices themselves, and instead connect to them through a central controller only. Of course, Belkin wants to control everything and charge you a monthly fee, and so they cloud enabled everything, and this is the result. 

Still doesn't help if they manage to get someone in the house to run a trojan. Then it's inside the house, and can connect outwards without any problems. You may never know until whoever it's calling home to decides to go a-hackin. Or it may just run ones to see if you have failed to disable UPnP updating of your router, and open up connections for itself on any ports its creator wants to come back in on later. Then you'd never even necessarily have a virus to find, it could have just opened you up and then deleted itself.
 
Ultimately, old fashioned as they are, serial ports are pretty safe. As long as the automation system is tight, and if it has a strong login mechanism it should be, and as long as no generally machines use any sort of high privilege automation system accounts to log in as well, then you would be a lot safer if the only way to get to the stuff controlled was through that automation system.
 
There are exceptions of course. The Omni uses an encrypted connection, so unless the hacker could figure out the key, very unlikely unless you left it somewhere that it was easy to find and they knew you had one and what to look for, they wouldn't get anywhere on that front. Some HTTP based stuff does at least offer the option of a login, which would help. And though telnet based connections are super-simple protocols, they often require a login, e.g. RadioRA2 or Homeworks.
 
But, if all the things being controlled are IP based as well, then it would just bypass the controller and go straight to them, since most simple IP based devices won't provide encrypted connections, or even a login requirement.

A friend showed me BackTrack a few weeks ago... pretty slick setup for testing for things like this. Watching a few BackTrack related videos on YouTube can get a bit scary...

jdale said:

you'll have to go around and flash new firmware in every device.

Click to expand...

Any reasonable IP device is going to be able to take updates over IP and I would be surprised if there wasn't a new firmware out that fixes this hole very soon as the source is already available.

az1324 said:

Any reasonable IP device is going to be able to take updates over IP and I would be surprised if there wasn't a new firmware out that fixes this hole very soon as the source is already available.

Click to expand...

 
Though that itself can be a massive security hole if not very tightly restricted.

This is a topic that always amuses me.  Way too often, people who "think" they're technical and have some clue start touting how everything should be IP based and how it somehow simplifies life... but these are usually the people who understand real TCP/IP networks the least.  What they know is "I have IP Address; I plug in Cat5 - everything is familiar".  It's just downright naive - but, as the saying goes, "people don't know what they don't know".
 
The reality is TCP/IP networks are extremely complex - but in the simplest of environments, the network equipment being offered has dumbed it down to a level most any trained monkey can handle.  That said, I can't tell you how many networks I see and how many just downright moronic IT "engineers" and "managers" I encounter that just doesn't have a clue... and that's in a business environment - homes are even worse - even less technical people, or often worse, the "son", "brother in law" or "nephew" who's "good with computers" that fakes their way through it.  IT is a field with no borders to entry and the only requirement is a dumb enough boss that doesn't understand what they're saying who trusts what they hear and doesn't know to ask questions.
 
/soapbox rant
 
I'm not a tin-foil-hat conspiracy theorist - I bank online; my wifi has moderate security; etc - a lot of times it's just a matter of locking your doors and playing the odds - same goes with network security... but requiring your devices to talk to the cloud is pretty dumb - BUT it opens up to a much larger wannabe techie market - so while I understand it, I'd never in a million years buy it.  I also can't think of a single reason on earth that most HA products should be IP enabled; instead, they should have gateways that are IP enabled.  WTF would I want 75 light switches taking up IP addresses and using IP traffic?  The overhead alone on each packet would be 10x what the actual data is... it's just dumb.  Then there's the little-understood fact that basic limitations of Wifi as a protocol limit you to 30-50 devices per AP regardless of brand/cost/manufacturer - and the higher power consumption to support running the wifi - again - it just doesn't make sense.  People "think" they hate serial but have no idea why... the reality is, it's a simple protocol with hardly any overhead and not prone to networking issues; network configuration; etc; if the link exists and works, the devices communicate... 
 
So I hope that everyone who bought a cloud-enabled outlet can go through the hassles of doing firmware updates and not burn their houses down (again - a stretch) - but those people are seriously on the low end of the "automation" world.

Work2Play said:

I also can't think of a single reason on earth that most HA products should be IP enabled; instead, they should have gateways that are IP enabled.  WTF would I want 75 light switches taking up IP addresses and using IP traffic?  The overhead alone on each packet would be 10x what the actual data is... it's just dumb.  Then there's the little-understood fact that basic limitations of Wifi as a protocol limit you to 30-50 devices per AP regardless of brand/cost/manufacturer - and the higher power consumption to support running the wifi - again - it just doesn't make sense.  

Click to expand...

 
IPv6 Even without it, an internal home or business network has more than enough IP addresses available. And very good point about the device limit per AP.
 
Personally, I think in a perfect world, we'll end up with a combination of the mesh networks we use now, and direct IPv6 addressing of the "internet of things" in our homes (i.e. an IPv6 based mesh network that you can talk to via a WiFi network adapter or whatever). Frankly, as more and more things become automated, there are more and more protocols to support, and serial adapters to buy, adding headaches for all involved. Consumers will not be able to keep track of it all. Moving everything to IP would be beneficial for homeowners and the industry alike. Keep in mind it's not just light switches and smart appliances, it's sensors embedded in walls, etc etc. 

It was just days ago I made this point about Linux based IP cameras being used as an attack platform, this video is a great example.
 
I am one of those people who would enjoy IP-enabled devices such as light switches, appliances (status only),  and I do understand networks  The trick is to implement it CORRECTLY with security in mind (which almost NONE of these manufacturers do), and I definitely don't want the devices directly connected to the internet (via 'cloud' or port forwarding).
 
And as for the trojan concern, you have bigger problems if your home network has been compromised.

Dan (electron) said:

It was just days ago I made this point about Linux based IP cameras being used as an attack platform, this video is a great example.
 
I am one of those people who would enjoy IP-enabled devices such as light switches, appliances (status only),  and I do understand networks  The trick is to implement it CORRECTLY with security in mind (which almost NONE of these manufacturers do), and I definitely don't want the devices directly connected to the internet (via 'cloud' or port forwarding).
 
And as for the trojan concern, you have bigger problems if your home network has been compromised.

Click to expand...

 
Ehh, I don't know... If my home network has been compromised, I'd prefer that information be stolen from my computer (or completely corrupted) as opposed to someone controlling electronic devices which could potentially start a house fire - and end up losing everything.