belkinwemo100246882orig500
Security

Belkin fixes WeMo security holes that gave hackers access to home appliances

The inherent risk of controlling all your home appliances over the Internet is that a hacker could potentially wreak havoc with your thermostat and coffee maker, so it's simultaneously unnerving and comforting that Belkin has patched up several vulnerabilities in its WeMo home automation system that could have allowed for such a scenario.

In security advisories published on Tuesday, IOActive and CERT describe how WeMo uses an RSS-like mechanism to notify the system of new firmware updates. Part of the problem was that Belkin delivered these notices through an unencrypted channel, potentially allowing hackers to spoof the RSS feed and deliver malicious firmware updates.

Normally these updates wouldn't get through without being verified by Belkin. But a couple other issues, including extractable passwords and cryptographic keys and a failure to validate secure socket layer certificates, would have allowed hackers to pass off malicious updates as legitimate. IOActive also found a vulnerability that could reveal system files on the local network, and discovered a way for an attacker to relay connections to any other WeMo device.

At the time that IOActive and CERT published their reports, Belkin had not responded, and IOActive simply recommended that WeMo users unplug their devices until the problem was resolved.

But on Wednesday, Belkin clarified that it had already fixed the vulnerabilities through existing firmware updates. As long as users have updated their firmware on January 24 or later, they should be safe from virtual home invasion. Updates to the WeMo app for iOS (as of January 24) and Android (as of February 10), also contain the most recent firmware update.

It's likely that this cat-and-mouse game will continue as home automation goes more mainstream. The occasional security glitch is just what happens when we connect more of our lives to the Internet. As with all technology, that's no reason to swear off all home automation. It just means that inevitably, some hacker will succeed at remotely ruining a perfectly good cup of coffee.

PREVIOUS ARTICLE

« Sidecar's new marketplace lets drivers compete for your business

NEXT ARTICLE

How to make the Windows desktop look good on high-DPI displays »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?