IOActive researcher Mike Davis said on Tuesday that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” (http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html) IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. (http://www.kb.cert.org/vuls/id/656302). There has been no response yet from Belkin.
Among the problems discovered by Davis and IOActive: Belkin’s firmware reveals the signing key and password allowing an attacker with physical or logical access to a WeMo device to sign a malicious software update and get it to run on the device, bypassing security and integrity checks. Also, Belkin WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate, potentially pushing a bogus firmware update or malicious RSS feed to deployed WeMo devices.
WeMo customers who are counting on their wireless router and NAT (network address translation) or a firewall to provide cover should also beware. Davis found that Belkin has implemented a proprietary 'darknet' that connects deployed WeMo devices by ‘abusing’ an (unnamed) protocol originally designed for use with Voice over Internet Protocol (VoIP) services. With knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to- and control any WeMo device over the proprietary network.