Researchers Find Serious Flaws in WeMo Home Automation Devices

Researchers at IOActive found a series of vulnerabilities in the WeMo home automation products built by Belkin that enable them to gain remote control of connected devices, provide malicious firmware updates and gain access to the internal LAN.

UPDATE–There has been a joke going around the tech industry for years about refrigerators and other home appliances one day being connected to the Internet and being able to order more milk for you or allow you to turn off your lights remotely. That day is today, and those Internet-connected devices–surprise!–have many of the same vulnerabilities that normal software applications and hardware devices have had for decades.

Security researchers who have had an increasingly difficult time in recent years finding major vulnerabilities in browsers or desktop applications are now finding that a little time spent on home-automation products can yield serious results. Researchers at IOActive found a series of vulnerabilities in the WeMo home automation products built by Belkin that enable them to gain remote control of connected devices, provide malicious firmware updates and gain access to the internal LAN.

The WeMo products, which include sockets, light switches, motion sensors and Web cams, allow users to connect to their monitored devices from a mobile device. They can monitor usage and turn various devices on and off. The vulnerabilities that the IOActive researchers uncovered relate to the way that WeMo pushes out firmware updates and implements the GPG encryption scheme.

“WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware,” IOActive principal research scientist Mike Davis wrote in an advisory on the vulnerabilities.

“The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.”

Davis reported the vulnerabilities to US-CERT, which tried contacting Belkin, which did not respond. Belkin issued a statement on Tuesday, saying it had fixed the vulnerabilities in the most recent firmware update.

“Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk from these malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices,” the statement says.

The WeMo devices use a protocol known as STUN to communicate, and was designed to bypass NAT firewalls. The way that WeMo uses the protocol, however, compromises the security of the devices and creates what IOActive called a “darknet” of WeMo devices that attackers can connect to directly.

“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles. This mitigates their customer’s exposure and reduces risk.  Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home,” Davis said.

US-CERT also has published an advisory on these issues.

This story was updated on Feb. 19 to add the statement from Belkin. 

Suggested articles


  • R Foreman on

    Home automation.. I just love the imagery there. I'd like to automate the refrigerators of the rich and famous to order a few things.
  • Johnny Nicholson on

    I had read about these supposed security weaknesses in the WeMo a few weeks ago, and I'm now very glad I didn't buy one! I'm based in the UK and I bought a similar product from a small company here, WiFi Plug. Their security measures seem to be more advanced than Belkin's despite the fact that they are quite a small company. Would highly recommend to anyone looking to get rid of their compromised WeMo!
  • Prowse! on

    That's rediculous, Johnny Nicholson, why would anyone need to return even a compriised Wemo, just get the firmware update, then NO LONGER BROKEN. Read the FULL article next time.

    Security is a big deal if it allows entry into my home. Most of the new cell phone enabled "smart locks" I have looked at are either too big to fit on the inside of my door, or they use a hackable protocol like NFC or Bluetooth. Return on Investment is also important. I don't want to be locked into a service contract with monthly fees and tech support calls. I automated the entry to my front door's deadbolt six years ago with RFID. Working well for decades, automotive key fobs and garage door openers also use RFID. Automating my front door makes it convenient to lock and unlock from eighty feet away. In the rain or just in a rush, I can make sure I locked the door as my lock beeps (just like my car) when locked. I kept the exterior half of the deadbolt as it matches the front door's handle-set beneath it.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.