Update: Security Flaw found in Belkin WeMo devices
There has been flaws found in the way WeMo (Belkin) does updates to the device. They use over the air firmware updates with PGP security through RSS updates. If someone wanted to spoof that RSS feed and get a valid signed firmware, they could potentially send you modified firmware that would give them access to bypass your NAT firewall. WeMo uses a protocol called STUN (Wikipedia) and the hacker could then control an internal network behind your NAT and get information off any of your other computers after that. Nothing is know if this is a problem on other Home Automation products, but US-CERT has sent notice to Belkin and posted on their website the notice. See the advisory below from IOActive.
WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware.
UPDATE:
Late Tuesday, Belkin released a statement saying it “was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates.”
Belkin said devices with the recent firmware release (version 3949) are not at risk for malicious firmware attacks and are not at risk for remote control or monitoring of WeMo devices from unauthorized devices.
The company said smartphone users should download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app.
The Belkin statement said specific fixes included:
- An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.
- An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack
- An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update