Belkin WeMo smart home networks in danger of hacks
Researchers warn that more than 500,000 home automation devices have vulnerabilities that would allow attackers to remotely take control of thermostats, lighting, sprinkler systems, and more.
Smart home networks are rapidly gaining popularity, but some security experts worry that not enough encryption controls are coming with the products.
Security firm IOActive released an advisory (PDF) on Tuesday saying more than half a million Belkin WeMo devices are susceptible to widespread hacks. The firm uncovered several vulnerabilities in these devices, which would let hackers gain access to home networks and remotely control Internet-connected appliances.
The hacks could range from a mean-spirited prank to actually posing a danger. For example, they could be as benign as turning someone's house lights on-and-off to something dangerous like getting a fire started.
Many of Belkin's WeMo home automation products let users build their own smart home solutions by adding Internet connectivity to any device -- like sprinkler systems, thermostats, and antennas. Once connected, users can control their appliances with a smartphone from anywhere in the world.
However, hackers could also get into these networks, warns IOActive. The vulnerabilities found by the firm would let hackers remotely control and monitor home networks, along with perform malicious firmware updates and gain access to other devices, like laptops and smartphones.
According to IOActive, the vulnerabilities would let hackers impersonate Belkin's encryption keys and cloud services to "push malicious firmware updates and capture credentials at the same time."
As long as Belkin doesn't patch these vulnerabilities, IOActive recommends that users refrain from using the WeMo devices. The firm has worked with the US government's Community Emergency Response Team (CERT) on these recommendations and CERT issued its own advisory on Tuesday.
"As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles," IOActive principal research scientist Mike Davis said in a statement. "This mitigates their customer's exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home."
A Belkin spokesperson told CNET that the company has "corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions" that was published in the CERT advisory. These fixes were issued through in-app notifications and updates.
The company said that users with the most recent firmware release (version 3949) are not at risk of hacks but those users on older releases should download the latest app from Apple's App Store or Google Play Store and upgrade their firmware.
"An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices" is one specific fix, and Belkin said others include "an update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack."
Update, February 20 at 2:55 p.m. PT: with comment and information from Belkin.