Update: Belkin WeMo smart home plug vulnerabilities fixed

Sections: Appliances, Internet of Things, Smart Home

submit to reddit
Belkin WeMo adapterLast month, a CERT advisory was issued that Belkin Wemo Home Automation firmware contained a hard-coded cryptographic key and password that potential attackers might have been able to extract the key and password to sign a malicious firmware update. Users can rest easy that Belkin has corrected these vulnerabilities, so long as you download the latest app from the App Store (version 1.4.2) or Google Play Store (version 1.1.2) and upgrade the WeMo firmware.  Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices as described in the report. If you are buying new WeMo hardware, you’ll need to do the same.Specific fixes Belkin has issued include:

  1. An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices.
  2. An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack
  3. An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

According to both CERT and Belkin, with the latest firmware update, you can go back to using your WeMo’s without trepidation.


Print Friendly