Along with issuing a warning on Tuesday about multiple vulnerabilities in Belkin WeMo Home Automation devices, security firm IOActive accused Belkin of being unresponsive in issuing fixes and responding to its reports.
IOActive, claiming that Belkin had not issued any patches for the security flaws, said that it had issued its own advisory due to the fact that Belkin was unresponsive.
Also, in its advisory issued Feb 18., CERT warned: “We are currently unaware of a practical solution to this problem.”
Late Tuesday, however, a Belkin spokesperson told SecurityWeek the vulnerabilities were fixed before IOActive and CERT issued security advisories.
“We actually were in contact with them before as we’ve had the fixes implemented already,” the spokesperson told SecurityWeek late Tuesday. “It seems like a case of miscommunication between various parties.”
“Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates,” the company said in a statement issued late Tuesday.
In response to the comments from Belkin and the associated security updates, IOActive provided the following statement to SecurityWeek on Wednesday afternoon:
IOActive is a longtime proponent of responsible disclosure and has, for several years, coordinated the public disclosure of critical findings with the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). US-CERT leads efforts to improve the US’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. As a government organization, US-CERT is an impartial third party that we rely on to report significant security concerns.
As a leading global security consultancy with a large international team of professional researchers, IOActive works with US-CERT and other regional CERT’s to help educate and secure the products technology consumers frequently use or interface with. We are successful because we conduct business and handle sensitive vulnerabilities in an ethical and responsible manner. If, through the course of our independent research vulnerabilities are discovered with a particular product or technology class, IOActive seeks to work with the appropriate CERT in mitigating the potential threat. As a coordinator of vulnerability intelligence and public disclosure, CERTs are the industry’s trusted intermediary for evaluating the risks of alerting consumers and users to the discovered vulnerabilities, and for managing the timing of information releases. It is important that vendors or suppliers alerted to vulnerable systems by a CERT respond and provide updates on their progress in remediating or mitigating any vulnerabilities back to their CERT point of contact. The responsibility for responding to CERT falls exclusively on the vendor/supplier.
IOActive is delighted that Belkin has acted on five of CERT’s stated vulnerabilities. While there are other documented concerns, Belkin is headed in the right direction. It is not IOActive’s practice to recheck or certify fixes that may be offered by the vulnerable vendor in response to a CERT notification.
IOActive recommends that companies unfamiliar with responsible disclosure practices engage and respond with CERT when issues have been identified. This will reflect positively on their company – in the eyes of investors, customers, and the Internet community at large.
As a company, IOActive researches and probes the security of new products and classes of technology as a way of developing new assessment methodologies and for identifying new mitigation strategies. Ultimately, what the company wants when uncovering these vulnerabilities, and by working through the appropriate CERT organizations, is to ensure the issues get fixed. That has and always will be IOActive’s goal.
