Belkin fixes WeMo security holes that gave hackers access to home appliances
The inherent risk of controlling all your home appliances over the Internet is that a hacker could potentially wreak havoc with your thermostat and coffee maker, so it's simultaneously unnerving and comforting that Belkin has patched up several vulnerabilities in its WeMo home automation system that could have allowed for such a scenario.
In security advisories published on Tuesday, IOActive and CERT describe how WeMo uses an RSS-like mechanism to notify the system of new firmware updates. Part of the problem was that Belkin delivered these notices through an unencrypted channel, potentially allowing hackers to spoof the RSS feed and deliver malicious firmware updates.
Normally these updates wouldn't get through without being verified by Belkin. But a couple other issues, including extractable passwords and cryptographic keys and a failure to validate secure socket layer certificates, would have allowed hackers to pass off malicious updates as legitimate. IOActive also found a vulnerability that could reveal system files on the local network, and discovered a way for an attacker to relay connections to any other WeMo device.
At the time that IOActive and CERT published their reports, Belkin had not responded, and IOActive simply recommended that WeMo users unplug their devices until the problem was resolved.
But on Wednesday, Belkin clarified that it had already fixed the vulnerabilities through existing firmware updates. As long as users have updated their firmware on January 24 or later, they should be safe from virtual home invasion. Updates to the WeMo app for iOS (as of January 24) and Android (as of February 10), also contain the most recent firmware update.
It's likely that this cat-and-mouse game will continue as home automation goes more mainstream. The occasional security glitch is just what happens when we connect more of our lives to the Internet. As with all technology, that's no reason to swear off all home automation. It just means that inevitably, some hacker will succeed at remotely ruining a perfectly good cup of coffee.