Affected Products
Belkin WeMo products
Devices built on the WeMo firmware
Impact
Belkin has recently produced a line of home-automation products under the WeMo name. For more information, see:
http://www.belkin.com/us/Products/home-automation/c/wemo-home-automation
These products feature iPhone and Android applications that:
- Monitor onboard sensors, such as motion sensors and streaming audio
- Actuate controls, such as relays and LEDs
While researchers have reported some security issues relating to these products, their cloud features are secure when used on
the local network. For more information, see:
http://www.youtube.com/watch?v=BcW2q0aHOFo
IOActive examined the WeMo “Light Switch” firmware and uncovered a series of issues. When combined, these issues produce
a variety of vulnerabilities:
- Remote control of attached devices over the internet
- Malicious firmware updates
- In some cases, remote monitoring
- Internal LAN access
The WeMo devices connect to the Internet using the STUN/TURN protocol. This gives users remote control of the devices and
allows them to perform firmware updates from anywhere in the world. A generated GUID is the primary source of access control.
WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates.
Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo
product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware
update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is
distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing
the RSS feed with a correctly signed firmware.
The firmware updates are encrypted using GPG, which is intended to prevent this issue. Unfortunately, Belkin misuses the GPG
asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely,
Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the
current implementation to easily sign firmware images.
Belkin uses STUN/TURN and an exposed firmware signing key. IOActive discovered an unfortunate configuration relating to this.
A lack of entropy on the device results on less-than-random GUIDs. IOActive also discovered that the WeMo restful service
endpoint is vulnerable to attack. We reported to Belkin an arbitrary file download flaw relating to this.