According to researchers from security firm IOActive, the popular home automation product known as WeMo might be susceptible to some surprising security vulnerabilities. IOActive says a rogue user could remotely control attached devices, install malicious firmware, and remotely monitor your activities. The firm issued a critical security advisory recommending unplugging affected WeMo products. WeMo devices connect to the Internet and allow users to control lights, electrical outlets and other connected devices via their smartphones and websites such as IFTTT.com. The most popular way to control a WeMo device is by their free iOS and Android applications which monitor onboard WeMo sensors and activate switches to control power.
Here are the details behind the claimed flaw:
The WeMo devices connect to the Internet using the STUN/TURN protocol. This gives users remote control of the devices and allows them to perform firmware updates from anywhere in the world. A generated GUID is the primary source of access control. WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates.
Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing
the RSS feed with a correctly signed firmware.
The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.
Belkin uses STUN/TURN and an exposed firmware signing key. IOActive discovered an unfortunate configuration relating to this. A lack of entropy on the device results on less-than-random GUIDs. IOActive also discovered that the WeMo restful service endpoint is vulnerable to attack. We reported to Belkin an arbitrary file download flaw relating to this.
If you’re using a WeMo device it’s probably best to disconnect. Here’s a video that demonstrates what IOActive claims they’ve been able to exploit.