Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Belkin WeMo Home Automation Products Riddled With Security Holes (

chicksdaddy writes: The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network.

IOActive researcher Mike Davis said on Tuesday that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” ( IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. ( There has been no response yet from Belkin.

Among the problems discovered by Davis and IOActive: Belkin’s firmware reveals the signing key and password allowing an attacker with physical or logical access to a WeMo device to sign a malicious software update and get it to run on the device, bypassing security and integrity checks. Also, Belkin WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate, potentially pushing a bogus firmware update or malicious RSS feed to deployed WeMo devices.

WeMo customers who are counting on their wireless router and NAT (network address translation) or a firewall to provide cover should also beware. Davis found that Belkin has implemented a proprietary 'darknet' that connects deployed WeMo devices by ‘abusing’ an (unnamed) protocol originally designed for use with Voice over Internet Protocol (VoIP) services. With knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to- and control any WeMo device over the proprietary network.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Belkin WeMo Home Automation Products Riddled With Security Holes

Comments Filter:

The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth. -- Niels Bohr