UPDATE–There has been a joke going around the tech industry for years about refrigerators and other home appliances one day being connected to the Internet and being able to order more milk for you or allow you to turn off your lights remotely. That day is today, and those Internet-connected devices–surprise!–have many of the same vulnerabilities that normal software applications and hardware devices have had for decades.
Security researchers who have had an increasingly difficult time in recent years finding major vulnerabilities in browsers or desktop applications are now finding that a little time spent on home-automation products can yield serious results. Researchers at IOActive found a series of vulnerabilities in the WeMo home automation products built by Belkin that enable them to gain remote control of connected devices, provide malicious firmware updates and gain access to the internal LAN.
The WeMo products, which include sockets, light switches, motion sensors and Web cams, allow users to connect to their monitored devices from a mobile device. They can monitor usage and turn various devices on and off. The vulnerabilities that the IOActive researchers uncovered relate to the way that WeMo pushes out firmware updates and implements the GPG encryption scheme.
“WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware,” IOActive principal research scientist Mike Davis wrote in an advisory on the vulnerabilities.
“The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.”
Davis reported the vulnerabilities to US-CERT, which tried contacting Belkin, which did not respond. Belkin issued a statement on Tuesday, saying it had fixed the vulnerabilities in the most recent firmware update.
“Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk from these malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices,” the statement says.
The WeMo devices use a protocol known as STUN to communicate, and was designed to bypass NAT firewalls. The way that WeMo uses the protocol, however, compromises the security of the devices and creates what IOActive called a “darknet” of WeMo devices that attackers can connect to directly.
“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home,” Davis said.
US-CERT also has published an advisory on these issues.
This story was updated on Feb. 19 to add the statement from Belkin.