Forgot your password?
typodupeerror
Security

Oops: Security Holes In Belkin Home Automation Gear 77

Posted by timothy
from the did-you-leave-the-iron-on-or-shall-I? dept.
chicksdaddy writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin's WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network. IOActive researcher Mike Davis said on Tuesday that his research into Belkin's WeMo technology found the 'devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.' IOActive provided information on Davis's research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. There has been no response yet from Belkin."
This discussion has been archived. No new comments can be posted.

Oops: Security Holes In Belkin Home Automation Gear

Comments Filter:
  • Predictable .... (Score:5, Interesting)

    by gstoddart (321705) on Tuesday February 18, 2014 @02:09PM (#46277801) Homepage

    As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.

    The internet of things, smart home monitoring, and thermostats you can adjust from the web ... all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.

    I view the whole thing as a big "what did you expect?".

  • Re:Belkin Gear (Score:4, Interesting)

    by J'raxis (248192) on Tuesday February 18, 2014 @02:30PM (#46278063) Homepage

    Maybe their hardware is crap because they're more about abusing their customers [slashdot.org] than providing quality products.

  • Surprised? (Score:2, Interesting)

    by dysmal (3361085) on Tuesday February 18, 2014 @02:37PM (#46278157)
    Why is anyone surprised? The more stuff you have online, the more targets you have on your back. This reminds me of the arguments after Stuxnet when people were asking why equipment was online that had no business being online. People are trying to set up their house like the Jetson's with everything automated and controllable from their smart phone. Just because you can, doesn't mean you should! http://www.businessinsider.com... [businessinsider.com] http://online.wsj.com/news/art... [wsj.com]
  • by BUL2294 (1081735) on Tuesday February 18, 2014 @04:57PM (#46279619)
    Not to sound like I'm a crotchety old man telling kids to "stay off my lawn" and eschewing technology, but the Internet of Things really is opening Pandora's box... Currently, manufacturers tend to make a product, find bugs/get user complaints & make a new product. They might produce a few bug/security fixes--but then ignore that product in very short order. But the IoT really changes things, and not for the better...

    Here's an example... Walk around your house and figure out the age of all of your appliances. You probably have a few items (e.g. refrigerator) that are pushing 20 years old??? Now, imagine you buy a few shiny new IoT appliances & they're all connected to the Internet--15+ years from now. Seriously, this is a disaster waiting to happen & a hacker's wet dream... Imagine what support will exist 15 years from now for current versions of Android 4.x, Linux 3.x, Apache, PHP, MySQL, etc. Or better yet, what 1999-era software still receives even security patches or bug fixes? (Win9x--nope. Linux 2.2--nope. IIS4--nope. W2K--nope. SQL Server 7--nope... You get my point...)

    Ultimately, with the IoT, we're trusting that companies will be willing to support their products, including OS kernel patching on FOSS platforms that were long-abandoned by their progenitors, 25-odd years??? Dream on... I don't intend to replace my fridge or washer in a few years because it got "bricked" because of a security hole the manufacturer chose to ignore...

    Belkin's problems are only the beginning...
  • temporary fix (Score:3, Interesting)

    by NetMagi (547135) on Tuesday February 18, 2014 @04:57PM (#46279621)
    If you control your Belkin WeMo's locally like I do (Shell Script To Control Belkin WeMo’s - http://moderntoil.com/?p=839 [moderntoil.com]), the answer is as simple as a few firewall rules to stay safe. First, when I read this, I panicked and blocked all outgoing requests from the IP's of my WeMo's, then watched the firewall log to see what they were trying to do. Mine were pinging my LAN default gateway, trying to connect to "184.73.174.14:3478", and trying to connect to multiple IP's on UDP port 123. I adjusted my rules to allow them to hit the default gateway directly (but not NAT through it), since this is probably some check by the local OS on the WeMo's to see if the network is up. I also allowed them to hit anything on UDP 123 (NTP), since without the current time, they can be useless with a schedule. Looking at my logs now, all I see blocked is the constant requests to "184.73.174.14:3478". Local control resumed normally with these changes in place.

White dwarf seeks red giant for binary relationship.

Working...