

Vulnerabilities for Over Half a Million Belkin WeMo Users - voltagex_
http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html

======
soneil
Easily missed here is that you have to regulate _outbound_ traffic to resolve
this, which breaks all remote features (IFTTT, etc).

My real worry here is that people are selling the devices short. "So what,
someone can turn my lights off?". Each one of these devices can act as a WAP -
they do so for the initial setup (you join the device's wap with your phone
and initiate config from there). Each one of these devices has your network
credentials - they have to, to join your LAN.

Being able to sign & push your own firmware updates makes this a troubling
combination. It's well within each and every one of these "fire and forget"
devices to sit there broadcasting your network credentials.

Asking the users to solve this is hugely ineffective. If you block outbound
traffic, you don't receive firmware updates, and lose half the featureset. If
you isolate them onto a 'guest lan' to prevent them having useful data to
leak, then you lose the other half of the featureset.

The real failure here is bad key hygiene, a ball which is firmly in Belkin's
court - and they're refusing to even acknowledge it as an issue.

------
codyps
I find this to be completely expected. When Bluetooth LE can't even do a
secure key exchange and the large majority of manufacturer supplied router
firmwares having authentication vulnerabilities, trusting another device that
you don't control the software of to get it right seems like a bad bet.

------
eksith
I'm in the process of designing a home automation system for my own cabin and
news like this is giving me gas. Granted, mine probably won't be nearly as
sophisticated (heat, lights, coffee machine etc...), but surely, it can't be
an impossible task to combine convenience and security.

~~~
ifelsethen
well, if you were even considering WeMo in the first place (even well before
this vuln) you were 'doing it wrong'. a server with wifi in EVERY node is not
the way to go about adding home automation. these devices you have no control
over and rely on 'the cloud' have no business on your LAN.

~~~
dangrossman
WeMo devices don't rely on 'the cloud' and you can control them with local
URLs they broadcast over UPnP. Nothing has to leave your network, and there
are open source libraries for integrating them into your own projects.

------
dangrossman
I've had one of my WeMo switches turn itself off when I didn't tell it to. I
always wondered if someone was scanning the internet for them and found it; I
updated the firewall to block outside access even though that probably also
blocks me from using the app if I'm away from home.

------
blueskin_
Yet another insecure protocol. When will they learn?

