WeMo, Belkin’s standard protocol for home automation devices has apparently been hacked, and the core security laid wide open for potential malware attacks. The exposure is so bad that security experts at IOActive have gone so far as to recommend its use be discontinued altogether.
“The firmware updates are encrypted using GPG, which is intended to prevent this issue,” the IOActive advisory stated. “Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images.”
What this means is that with the keys to the castle, hackers can program your device with their own custom software, and that could allow fun and games like this:
Traditional home network security is ineffective, as the devices are designed to automatically update themselves. So until such time as Belkin offers a solution or exchange, unplug the device. While you’re unlikely to encounter the same kind of situation that the heroes of Almost Human encountered this week, hopefully Belkin will find a way to address these issues, and beef up their security on both the front and the back end. If you’re security-conscious, you should also look at similar products like power-line networking that may use similar protocols and have similar security holes. If you want more information on the nature of the holes, and a more technical explanation, follow the source link below.