Affected Products Belkin WeMo products Devices built on the WeMo firmware Impact Belkin has recently produced a line of home-automation products under the WeMo name. For more information, see: http://www.belkin.com/us/Products/home-automation/c/wemo-home-automation These products feature iPhone and Android applications that: - Monitor onboard sensors, such as motion sensors and streaming audio - Actuate controls, such as relays and LEDs While researchers have reported some security issues relating to these products, their cloud features are secure when used on the local network. For more information, see: http://www.youtube.com/watch?v=BcW2q0aHOFo IOActive examined the WeMo “Light Switch” firmware and uncovered a series of issues. When combined, these issues produce a variety of vulnerabilities: - Remote control of attached devices over the internet - Malicious firmware updates - In some cases, remote monitoring - Internal LAN access The WeMo devices connect to the Internet using the STUN/TURN protocol. This gives users remote control of the devices and allows them to perform firmware updates from anywhere in the world. A generated GUID is the primary source of access control. WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware. The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images. Belkin uses STUN/TURN and an exposed firmware signing key. IOActive discovered an unfortunate configuration relating to this. A lack of entropy on the device results on less-than-random GUIDs. IOActive also discovered that the WeMo restful service endpoint is vulnerable to attack. We reported to Belkin an arbitrary file download flaw relating to this.