[Article] Belkin WeMo Home Automation devices contain multiple vulnerabilities (CERT ID 656302)

[electron]

It just keeps getting better.  Mike Davis @ IOActive posted a document about several major security issues discovered within the Belkin WeMo platform.  It's so bad CERT actually posted a bulletin about it.
 
While I don't want people's homes to be compromised, I can't say I'm surprised, considering how many people are trusting internet based services to control all aspects of their home, or punching holes through their firewall for remote access to alarm systems, etc.
 
See below for the CERT bulletin.

Click here to view the article

 

[az1324]

Hopefully this will make it easy to upload alternative firmware.

 

[ddennerline]

The IOActive (and corresponding CVEs) paper describes some very basic security vulnerabilities. The Wemo product is predicated on Internet-of-things, so it’s hard to understand why some pen-testing wasn’t conducted prior to releasing devices. Belkin is a networking company, so you would have thought they “get it.”
 
What is a bit disconcerting is that a security researcher notified Belkin on Oct. 24. Belkin took four months to patch the SSL firmware verification vulnerability.  When a security research company decides to publish its own research bulletin without published patches available, it says something about the security process for embedded product.
 
The 1990’s standard answer to hide insecure devices behind a firewall is not going to hold water long-term.