Forgot your password?
typodupeerror
Security

Oops: Security Holes In Belkin Home Automation Gear 77

Posted by timothy
from the did-you-leave-the-iron-on-or-shall-I? dept.
chicksdaddy writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin's WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network. IOActive researcher Mike Davis said on Tuesday that his research into Belkin's WeMo technology found the 'devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.' IOActive provided information on Davis's research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. There has been no response yet from Belkin."
This discussion has been archived. No new comments can be posted.

Oops: Security Holes In Belkin Home Automation Gear

Comments Filter:
  • Apparently to fix your Linksys, I hear all you need to do is disable: Remote Administration
    • by SeaFox (739806)

      Apparently to fix your Linksys, I hear all you need to do is disable: Remote Administration

      IMHO, that's a feature that should have never been turned on by default to start with. When I bought my last router (a Linksys WRT54G) eight or nine years ago, you could only administer it over wired connections by default. You had to turn on the ability to use wireless devices to make changes.

      Nowadays router makers seem to all allow wireless admin access by default, even when most people never bother to change the admin password. So all you need is to not secure your wifi (or have a compromised password) a

      • Not a problem for those of use who use aftermarket/open firmware. Or not such a problem. The recent hubbub over Linksys routers only concerns those with stock firmware, no? Of course it is a bit disturbing nonetheless, but at least there are not major inherent flaws in the hardware that can not be patched. And I'm 100% positive that they are many routers that have much more serious issues. And how often are home or small business routers really directly hacked anyway?
  • Predictable .... (Score:5, Interesting)

    by gstoddart (321705) on Tuesday February 18, 2014 @02:09PM (#46277801) Homepage

    As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.

    The internet of things, smart home monitoring, and thermostats you can adjust from the web ... all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.

    I view the whole thing as a big "what did you expect?".

    • Re: (Score:2, Funny)

      by boristdog (133725)

      Which is why the best home security system is still the kind with four paws and a loud bark.

      • by EvilSS (557649)

        Which is why the best home security system is still the kind with four paws and a loud bark.

        I dunno about that. Mine has two steel feet and a pair of vulcan cannons and I feel pretty secure.

      • My home security system consists mainly of a number of conspicuous perimeter signs (which mention the main hardware provider, Smith & Wesson), a large and vocal canine, and some "hardware" as a last line of defense. 100% uptime (aside from some partial downtime when I take the dog with me) and effectiveness since installation.

        If I may be perfectly sincere, a medium-large dog that barks when startled is generally all you need to protect your home. Most all dogs are incredibly vigilant, and no burglar w
    • The WeMo switch I have is connected to the guest network of my router.
      So the rest of my network is secure I hope...

  • by plover (150551) on Tuesday February 18, 2014 @02:11PM (#46277835) Homepage Journal

    ...you say Belkin,
    let's watch your house get hacked.

  • by sjbe (173966) on Tuesday February 18, 2014 @02:12PM (#46277849)

    ...from Belkin

    What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap. I realize I don't have a large sample size but I've seen other people make similar comments about their gear. Their stuff just always seems to have some sort of problem.

    • Re:Belkin Gear (Score:4, Interesting)

      by J'raxis (248192) on Tuesday February 18, 2014 @02:30PM (#46278063) Homepage

      Maybe their hardware is crap because they're more about abusing their customers [slashdot.org] than providing quality products.

    • by Rufty (37223)
      I used to like Netgear, but they're crap now. You say Belkin is too, OK, who then? Linksys? I've had fun mucking up a WRT54GL, but that's ancient now, and back then Netgear were OK, too. TPlink? I like the TL-WR703N, but that's not really a big sample size.
      • by sjbe (173966)

        I used to like Netgear, but they're crap now. You say Belkin is too, OK, who then?

        I've at least had mixed luck with Netgear stuff, mostly fine with a few duds. Same with Linksys, D-Link, Trendnet and some others. Apple gear I've used has been solid if pricey. But I have yet to have a bit of Belkin gear that didn't do something unexpected (in a bad way). Maybe some of their stuff is fine but I haven't come across it.

      • by Grishnakh (216268)

        Try Buffalo; their routers come standard with DD-WRT. Or, look at the DD-WRT and OpenWRT device databases and pick a well-supported device to run one of those firmwares on.

      • by LoRdTAW (99712)

        I have one of their routers here at work (not my decision I can assure you). It works but its web config menu sucks and lacks many of the features you find in a decent router OS like m0n0wall or pfSense. But that is every crappy low end router. At home I run m0n0wall on an Alix board. That system is *ROCK SOLID* and I highly recommend it if you want a basic yet solid router for a connection of upward of 50 mbps or a bit more. If you want more speed for 100mbps+ then go with a Soekris NET6501 and pfSense.

        *BU

      • Belkin now owns Linksys.
    • by andydread (758754)
      would you like to recommend and aternative that works better in your experience?
      • by sjbe (173966)

        would you like to recommend and aternative that works better in your experience?

        Lately I've had the best luck with Trendnet and Apple. Dlink and Netgear are usually fine though I have run across a few bad pieces of gear. Linksys I've had mixed luck with and their stuff has gotten worse over time. My small office uses a Netgear 24 port switch, a few Trendnet gigabit switches and an Apple Airport Express for wireless. Haven't had any problems with any of it. We had a Netgear router (replaced by the Airport) which handled our wireless until it died for unexplained reasons.

        Sample size

    • by Anonymous Coward

      I remember when Belkin was mostly known for desk organizers and mouse pads. I wish they'd have stayed that way.

    • by gtall (79522)

      I only have a data point of one, a gizmo to use the radio to capture iPod tunes and play them so I could hear them. Never worked right. I finally gave up resolved not to believe anything Belkin says about their stuff. With only one data point, that's not a good argument, but then I don't want to get burned again.

    • by drinkypoo (153816)

      What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap.

      Well, the problem is that all their gear is flaky or just plain crap.

      They make pretty good cables. Everything else is junk.

    • by AmiMoJo (196126) *

      They position themselves as a high end brand, priced appropriately. In fact they buy the cheapest shit they can get that week and package it up, usually with the same model number as last week so the drive download is actually a bundle of several different drivers.

  • by OzPeter (195038) on Tuesday February 18, 2014 @02:16PM (#46277895)

    The hackers got into the home security system and caused it to mis-identify the homeowners as intruders. This caused the home security system to activate its laser targeted rifle and shoot (to kill) one of the homeowners.

    Ooops .. sorry .. that was last nights episode of Almost Human [fox.com]

      (and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

    • by gstoddart (321705)

      and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel

      It may be sad for Sy-Fy, but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.

      • by OzPeter (195038)

        but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.

        When it comes down to it Almost Human is your basic cop/detective show. However the writers have done a pretty good job of weaving in the future implications of technology as plot points.

        As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.

        • by Yetihehe (971185)

          As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.

          In MY humble opinion, character interactions and growth makes a good space opera (SyFy), not SciFi.

          • by gstoddart (321705)

            Nope, crashing and booming and action makes good space opera (Star Wars was space opera not sci-fi).

            Exploring how technology affects our lives and what we do with it, that's sci-fi.

            • by swb (14022)

              You and the person you're replying to are both right.

              There's a fair amount of scifi that merely ladles on a bunch of melodrama in the hope that someone will think of it as "character development" when in fact it often just serves as filler and often displaces action and technology.

              "Walking Dead" went down this road IMHO in Season 2 on the Farm. So much of that season was personal and social angst in a rural agricultural setting with the occasional appearance of a zombie. Everything else kind of went by

    • You beat me to it.

      still the south park one was very funny

      http://www.southparkstudios.co... [southparkstudios.com]

    • (and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

      What else do you expect from something that sounds like a pet-name for venereal disease?

    • by Lanforod (1344011)
      Bastard. Where was the spoilers warning. I haven't watched that episode yet.
      • by OzPeter (195038)

        Bastard. Where was the spoilers warning. I haven't watched that episode yet.

        Considering that that was the opening sequence of the show I hardly consider that it needed a spoiler alert. Now you may want to shut your eyes before you read about who actually did the hacking .. :D

    • by Grishnakh (216268)

      (and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)

      Expect the show to be cancelled early. This is typical of Fox: they cancelled Firefly after 14 episodes, and Terra Nova after 1 season (with a cliffhanger).

  • Remember when this company did this [slashdot.org] to their routers?

  • Surprised? (Score:2, Interesting)

    by dysmal (3361085)
    Why is anyone surprised? The more stuff you have online, the more targets you have on your back. This reminds me of the arguments after Stuxnet when people were asking why equipment was online that had no business being online. People are trying to set up their house like the Jetson's with everything automated and controllable from their smart phone. Just because you can, doesn't mean you should! http://www.businessinsider.com... [businessinsider.com] http://online.wsj.com/news/art... [wsj.com]
  • IETF made everything possible, but has unfortunately been somewhat abandoned, or at least isn't functioning as a mooring-of-sanity as it used to. In some ways, this is inevitable, since the e-world is big enough that even a small company can do its own thing, and still succeed big.

    This matters for IoT, since most cloud-enabled IoT devices do totally random things: poke through firewalls with UPNP, shove your private data into some random website, potentially over insecure protocols. (Or protocols that cou

    • by Obfuscant (592200)

      IETF should be thinking along the lines of a *local* data hub that you own,

      You give to IETF more power than they actually have. They document standards. They don't police them. They can't kick someone who violates them off the net. We have a long history of companies who ignore the standards because they want to either "enhance the user experience" or control it ...

      You don't want your fire alarm dependent on random external sites, or your internet-enabled door locks, or your thermostat, etc.

      Most people who buy this kind of stuff want it to "just work". That means they don't care if it uses some cloud services, they want to buy it, plug it in, and have it do something productive. Making it cost more by re

  • by omnichad (1198475) on Tuesday February 18, 2014 @03:30PM (#46278797) Homepage

    That explains all the Black Friday sales on this product. Get them sold before the vulnerability is public. I'm betting they knew about this.

  • "WeMo dumb, we just got our customers robbed."

    Additionally, our mothers are rather large.
  • by Bruha (412869) on Tuesday February 18, 2014 @04:41PM (#46279461) Homepage Journal

    Latest firmware contained security fixes.

    • by msauve (701917)
      So, where can the changelog be found which documents that the latest firmware has addressed all the noted issues?
    • Good, but that doesn't do much for the non-technical people who bought this and won't be checking for firmware updates every weekend.
  • Any automated control should have a local override to disconnected it from the control loop. This is normal practice in process plants. That way when a hacker takes over your thermostat, you put it in override until the access problem is fixed.

    Second, fires by software should not be possible. Protections should be baked into the hardware for home control things that can have e consequences to people.

  • by BUL2294 (1081735) on Tuesday February 18, 2014 @04:57PM (#46279619)
    Not to sound like I'm a crotchety old man telling kids to "stay off my lawn" and eschewing technology, but the Internet of Things really is opening Pandora's box... Currently, manufacturers tend to make a product, find bugs/get user complaints & make a new product. They might produce a few bug/security fixes--but then ignore that product in very short order. But the IoT really changes things, and not for the better...

    Here's an example... Walk around your house and figure out the age of all of your appliances. You probably have a few items (e.g. refrigerator) that are pushing 20 years old??? Now, imagine you buy a few shiny new IoT appliances & they're all connected to the Internet--15+ years from now. Seriously, this is a disaster waiting to happen & a hacker's wet dream... Imagine what support will exist 15 years from now for current versions of Android 4.x, Linux 3.x, Apache, PHP, MySQL, etc. Or better yet, what 1999-era software still receives even security patches or bug fixes? (Win9x--nope. Linux 2.2--nope. IIS4--nope. W2K--nope. SQL Server 7--nope... You get my point...)

    Ultimately, with the IoT, we're trusting that companies will be willing to support their products, including OS kernel patching on FOSS platforms that were long-abandoned by their progenitors, 25-odd years??? Dream on... I don't intend to replace my fridge or washer in a few years because it got "bricked" because of a security hole the manufacturer chose to ignore...

    Belkin's problems are only the beginning...
  • temporary fix (Score:3, Interesting)

    by NetMagi (547135) on Tuesday February 18, 2014 @04:57PM (#46279621)
    If you control your Belkin WeMo's locally like I do (Shell Script To Control Belkin WeMo’s - http://moderntoil.com/?p=839 [moderntoil.com]), the answer is as simple as a few firewall rules to stay safe. First, when I read this, I panicked and blocked all outgoing requests from the IP's of my WeMo's, then watched the firewall log to see what they were trying to do. Mine were pinging my LAN default gateway, trying to connect to "184.73.174.14:3478", and trying to connect to multiple IP's on UDP port 123. I adjusted my rules to allow them to hit the default gateway directly (but not NAT through it), since this is probably some check by the local OS on the WeMo's to see if the network is up. I also allowed them to hit anything on UDP 123 (NTP), since without the current time, they can be useless with a schedule. Looking at my logs now, all I see blocked is the constant requests to "184.73.174.14:3478". Local control resumed normally with these changes in place.
    • by Obfuscant (592200)

      ...all I see blocked is the constant requests to "184.73.174.14:3478".

      Interesting. That's an address in the Amazon cloud. It accepts telnet connections but gives nothing back that I can see.

      It may be something like the attempted external connections I found from an internet power switch. Why would an internet power switch be trying to connect to a site in China? The vendor claims it was their aborted attempt at a dynamic DNS service so you could control the switch from the world. I dunno, but I blocked it anyway.

      At the same time I found this traffic, I also found that a r

  • Please tell me the browser cache is screwing with me. Please tell me that my wife wants to have sex more often ( ok that isn't going to happen, I have a 12 and 15 year old) Do we really have Slashdot.org back?
  • Security holes in a Belkin something? Go on, you can't possibly be serious.
  • Self,
    Disconnect chainsaw from home network.

  • 'The cloud' should not have any access to these devices AT ALL. At most, a hole in the firewall should allow external connections to a server running on the LAN that can then talk to the devices (and that should be entirely optional). They should never even try to phone home for any reason. It's nobody's business but mine which lights are turned on.

    That is especially true since according to TFA, Belkin leaked the keys to the kingdom.

  • Just reconnected my two switches. Let's see.

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...