Belkin: Security Fixes Were Already Issued for Recent WeMo Vulnerabilities

Early Tuesday, Security firm IOActive issued a warning about multiple vulnerabilities in Belkin WeMo Home Automation devices that could give attackers the ability to remotely control WeMo Home Automation attached devices over the Internet, perform malicious firmware updates, and in some cases, remotely monitor the devices.

Belkin’s WeMo uses Wi-Fi and mobile Internet to enable users to control home electronics from any location in the world from their smartphone.

IOActive, claiming that Belkin had not issued any patches for the security flaws, issued its own advisory due to the fact that Belkin was unresponsive.

In its advisory issued on Feb 18., CERT warned: “We are currently unaware of a practical solution to this problem.”

A Belkin spokesperson originally responded to a SecurityWeek inquiry Tuesday afternoon saying, “Our security teams are looking into the vulnerabilities now.”

However, on Tuesday evening, many hours later, the same spokesperson told SecurityWeek the vulnerabilities were fixed before IOActive and CERT issued security advisories on Feb 18.

“We actually were in contact with [IOActive] before as we’ve had the fixes implemented already,” the spokesperson told SecurityWeek late Tuesday. “It seems like a case of miscommunication between various parties.”

“Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18,” the company said in a statement issued late Tuesday.

“Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates.”

Belkin said users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices.

According to Belkin, specific fixes that have been issued include:

• An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.

• An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack

• An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

Belkin advised users to download the latest mobile apps from the App Store (version 1.4.1) or Google Play (version 1.2.1) and then upgrade the firmware version through the app.

If Belkin had actually made the fixes, it either did not push them out to users effectively or did an incredibly poor job communicating that fixes were available to the outside world.

This story will be updated with any additional comments from IOActive and Belkin.