Security Experts:

Connect with us

Hi, what are you looking for?



IOActive Issues Statement on Belkin Vulnerability Debate

Along with issuing a warning on Tuesday about multiple vulnerabilities in Belkin WeMo Home Automation devices, security firm IOActive accused Belkin of being unresponsive in issuing fixes and responding to its reports.

Along with issuing a warning on Tuesday about multiple vulnerabilities in Belkin WeMo Home Automation devices, security firm IOActive accused Belkin of being unresponsive in issuing fixes and responding to its reports.

IOActive, claiming that Belkin had not issued any patches for the security flaws, said that it had issued its own advisory due to the fact that Belkin was unresponsive.

Also, in its advisory issued Feb 18., CERT warned: “We are currently unaware of a practical solution to this problem.”

Late Tuesday, however, a Belkin spokesperson told SecurityWeek the vulnerabilities were fixed before IOActive and CERT issued security advisories.

“We actually were in contact with them before as we’ve had the fixes implemented already,” the spokesperson told SecurityWeek late Tuesday. “It seems like a case of miscommunication between various parties.”

“Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates,” the company said in a statement issued late Tuesday.

In response to the comments from Belkin and the associated security updates, IOActive provided the following statement to SecurityWeek on Wednesday afternoon:

IOActive is a longtime proponent of responsible disclosure and has, for several years, coordinated the public disclosure of critical findings with the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT). US-CERT leads efforts to improve the US’s cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. As a government organization, US-CERT is an impartial third party that we rely on to report significant security concerns.

As a leading global security consultancy with a large international team of professional researchers, IOActive works with US-CERT and other regional CERT’s to help educate and secure the products technology consumers frequently use or interface with. We are successful because we conduct business and handle sensitive vulnerabilities in an ethical and responsible manner. If, through the course of our independent research vulnerabilities are discovered with a particular product or technology class, IOActive seeks to work with the appropriate CERT in mitigating the potential threat. As a coordinator of vulnerability intelligence and public disclosure, CERTs are the industry’s trusted intermediary for evaluating the risks of alerting consumers and users to the discovered vulnerabilities, and for managing the timing of information releases. It is important that vendors or suppliers alerted to vulnerable systems by a CERT respond and provide updates on their progress in remediating or mitigating any vulnerabilities back to their CERT point of contact. The responsibility for responding to CERT falls exclusively on the vendor/supplier.

IOActive is delighted that Belkin has acted on five of CERT’s stated vulnerabilities. While there are other documented concerns, Belkin is headed in the right direction. It is not IOActive’s practice to recheck or certify fixes that may be offered by the vulnerable vendor in response to a CERT notification.

IOActive recommends that companies unfamiliar with responsible disclosure practices engage and respond with CERT when issues have been identified. This will reflect positively on their company – in the eyes of investors, customers, and the Internet community at large.

As a company, IOActive researches and probes the security of new products and classes of technology as a way of developing new assessment methodologies and for identifying new mitigation strategies. Ultimately, what the company wants when uncovering these vulnerabilities, and by working through the appropriate CERT organizations, is to ensure the issues get fixed. That has and always will be IOActive’s goal.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.