Belkin fixes WEMO security vulnerabilities

Earlier today security services company IOActive released a statement detailing potential vulnerabilities it had discovered in the popular Belkin Wemo range of remote or smart home switches.  Belkin has this evening responded to the reports with news of updates and patches that fix what it describes as potential vulnerabilities.

Belkin WEMO Switch

iOActive’s claims are complex and rather technical, however any potential unauthorised control of the Wemo switches or more worrying the sensors or cameras should be of concern to owners and users.

The IOActive release said “Mike Davis, IOActive’s principal research scientist, uncovered multiple vulnerabilities in the WeMo product set that gives attackers the ability to:

  • Remotely control WeMo Home Automation attached devices over the Internet
  • Perform malicious firmware updates
  • Remotely monitor the devices (in some cases)
  • Access an internal home network

Now personally, the worst thing that could happen to me is that some geek turns on my bedroom light while I’m sleeping, however with many people using the Belkin Wemo cameras and other sensors there is a justified concern for these remote systems.

Belkin today responded to several twitter conversations I was having with concerned users with a link to a statement outlining how the vulnerabilities had been fixed.  That statement is here and I’ve reproduced it below.  Belkin Wemo users should check this and ensure their app and device firmware is up to date.

Security vulnerabilities published in CERT advisory fixed

Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk from these malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app. Specific fixes Belkin has issued include:

1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices. 

2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack 

3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that enables the most recent firmware update

Recent Posts

  • Tech

NBA Bounce is the fun-filled basketball game for the whole family

Basketball is incredibly popular among kids of all ages, but for many, the more advanced…

38 minutes ago
  • Tech

Google announces new Gemini-first home devices including Nest Cameras, Google Home speaker & improvements to Home app

Google has announced an updated range of Nest devices overnight, including new cameras, doorbell and…

3 hours ago
  • Tech

Beats unveil the evolution of their fitness earbuds with the new Powerbeats Fit

Beats has today introduced the Powerbeats Fit, the next generation of the Beats Fit Pro…

15 hours ago
  • Lifestyle

NBA 2K26 is bringing the ‘House of 2K’ to Melbourne Park this weekend as part of the NBAxNBL Melbourne series

Basketball, the NBA and the NBL are rocking Melbourne this weekend with Zion Williamson's New…

21 hours ago
  • Motoring

Drivers are distracted – How, why and are they willing to change?

AAMI have recently commissioned consumer research into why Aussies are driving distracted. It’s a case…

1 day ago
  • Tech

Amazon updates Echo, Ring, Fire TV and Blink product lineup – we’ve got the Australian prices

Amazon's devices team have had a busy evening, launching updates across pretty much their entire…

1 day ago