

Password leak in WeMo devices makes home appliances susceptible to hijacks - stygiansonic
http://arstechnica.com/security/2014/02/password-leak-in-wemo-devices-makes-home-appliances-susceptible-to-hijacks/

======
usbhub
I have a WeMo and it works. I don't understand this hijack. Do users need
access to my WiFi (or breach perimeter) first and take control?

It is a classic security/ease of use trade off, at the moment, anyone who has
the app installed can take control of the device if they are on the same WiFi
network. This control is _retained_ if the user leaves the WiFi network. This
is a helpful feature that can be a security risk.

------
XorNot
And this is why closed source home automation is absurd. These are hardware
devices - companies can make their profit selling hardware, but the protocols
and endpoints need to be open.

~~~
dangrossman
They're more open than most electronics. They broadcast their capabilities and
control URLs on the local network over UPnP. They don't have to be open to the
internet to use them, just to get the firmware updates or use the mobile app
from outside your LAN. You can talk to them directly from your code and people
have written open source libraries encapsulating that.

------
techinsidr
Beklin is stating they fixed the vulnerabilities BEFORE yesterday's
disclosure..but they didn't go a great job telling anyone:

[http://www.securityweek.com/belkin-security-fixes-were-
alrea...](http://www.securityweek.com/belkin-security-fixes-were-already-
issued-recent-wemo-vulnerabilities)

------
uslic001
I had taken WeMo devices down yesterday for a different reason but now I have
reservations about putting them back up given Belkin's slow response to these
issues. I had updated the firmware this past weekend so hopefully they really
fixed the problems like the other article below posted claims but I will wait
until the new firmware has been tested by outside sources before I think of
plugging them back in.

------
joeblau
The dub step light hack was pretty crazy.

~~~
nobodyshere
Not as crazy as lack of comments from Belkin, though. But it will be even
crazier if Belkin tries to sue the hacker for some reason.

